Strong authentication is a critical security control that helps protect systems, applications, and data from unauthorized access. By requiring multiple factors of authentication, organizations can significantly reduce the risk of account compromise and data breaches. Let's dive into the details of this important security measure.
Where did this come from?
CSA Cloud Controls Matrix v4.0.10 - 2023-09-26. You can download the full matrix here.
This control is part of the Identity & Access Management domain and is inspired by industry best practices and regulatory requirements such as NIST 800-63B and PCI DSS. For more information on AWS's implementation of strong authentication, check out their documentation on multi-factor authentication.
Who should care?
- Security administrators responsible for protecting sensitive data and systems
- Compliance officers ensuring adherence to regulatory requirements
- IT managers overseeing access management for their organization
- Developers building applications that handle sensitive data
What is the risk?
Weak authentication, such as relying solely on passwords, leaves accounts vulnerable to various attack vectors:
- Brute force attacks attempting to guess weak passwords
- Phishing attacks tricking users into revealing their credentials
- Password reuse across multiple services, amplifying the impact of a single breach
- Keystroke loggers capturing passwords entered on compromised devices
Implementing strong authentication, particularly for privileged users and sensitive data access, can significantly mitigate these risks. Multi-factor authentication (MFA) is highly effective at preventing unauthorized access, even if a password is compromised.
What's the care factor?
Strong authentication should be a top priority for any organization handling sensitive data or managing critical systems. The consequences of a breach can be severe, including:
- Data theft and privacy violations
- Reputational damage and loss of customer trust
- Financial losses from fraud or business disruption
- Regulatory fines and legal liabilities
Investing in strong authentication is a relatively low-cost and high-impact security measure that can provide significant risk reduction.
When is it relevant?
Strong authentication is particularly important in the following scenarios:
- Remote access to corporate networks and resources
- Administrative access to sensitive systems and databases
- User accounts with elevated privileges
- Applications handling sensitive data such as financial or health information
However, it may be less critical for low-risk scenarios such as access to public information or internal resources with minimal sensitivity.
What are the trade offs?
Implementing strong authentication does come with some costs and considerations:
- User experience: MFA can add friction to the login process, requiring users to carry tokens or have access to their mobile devices.
- Implementation costs: Rolling out MFA may require purchasing hardware tokens, licensing software, or investing in infrastructure to support it.
- Support overhead: Additional authentication factors can lead to increased support requests for lost tokens, device issues, or account lockouts.
- Emergency access: Organizations need to plan for emergency access scenarios when MFA is unavailable or fails.
However, these costs are generally outweighed by the security benefits in most cases.
How to make it happen?
To implement strong authentication in your AWS environment:
- Enable MFA for all IAM users, especially those with console access or API access to sensitive resources.
- Use AWS Multi-Factor Authentication (MFA) devices such as virtual MFA applications or hardware tokens.
- Require MFA for all privileged actions, such as modifying IAM permissions or accessing sensitive S3 buckets.
- Use IAM policies to enforce MFA for specific actions or resources. For example:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAccessWithMFA",
"Effect": "Allow",
"Action": "ec2:*",
"Resource": "*",
"Condition": {
"Bool": {
"aws:MultiFactorAuthPresent": "true"
}
}
}
]
}- Enable MFA Delete on S3 buckets containing sensitive data to prevent accidental or malicious deletion.
- Consider implementing AWS Single Sign-On (SSO) with MFA for centralized access management across multiple accounts and applications.
- Monitor and alarm on root account usage, IAM access key usage, and other sensitive authentication events using AWS CloudTrail.
What are some gotchas?
- MFA requires additional IAM permissions such as
iam:EnableMFADevice,iam:ListMFADevices,iam:ResyncMFADevice, etc. Ensure IAM policies grant necessary permissions. - When using AWS API or CLI with MFA, users need to generate temporary STS credentials using
aws sts get-session-tokenand provide their MFA code. - Virtual MFA devices can be lost if a phone is wiped or stolen. Have a process to revoke and reissue MFA devices.
- Some AWS services (like AWS CodeCommit) don't support MFA natively. Use Git credentials or SSH keys instead.
What are the alternatives?
- AWS supports U2F security keys as an alternative to virtual or hardware MFA tokens. These provide strong phishing resistance.
- For workloads that don't support MFA natively, consider using tools like HashiCorp Vault or AWS Secrets Manager for secure secret management with MFA.
- Implement risk-based authentication that prompts for MFA based on user behavior, location, or device rather than statically.
Explore further
- AWS Blog Post: How to Delegate Management of Multi-Factor Authentication to AWS IAM Users
- CIS AWS Foundations Benchmark 1.2.0: Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password
- NIST Special Publication 800-63B: Digital Identity Guidelines - Authentication and Lifecycle Management
