Home » Blog

AWS Security: Using Multi Factor Authentication (MFA)

 |  Comments (2)

Last post we “mentioned” the AWS Multi Factor Authentication service and its use in securing the Simple Storage Service (S3). Now we’ll see how to add MFA to the Amazon services allowed to use it.

AWS Multi-Factor Authentication

It’s  a service that adds another security layer to our AWS environment. Once we enable MFA users must insert, in addition to username and password (first factor), another code provided by the MFA tool (second authentication factor). If someone gets our AWS credentials they can not access the services without the MFA token. This token is provided by a physical device and by several virtual applications available for all smartphones. MFA use can be enabled for our AWS accounts or assigned to any IAM account that we create under our root account.

AWS: Multi Factor Authentication at work
AWS: Multi Factor Authentication at work

Getting ready

Before to start creating MFA-protected users we should enable it for our IAM root account because this is an account with unlimited privilegies. This is simple as getting to IAM Service using AWS Console, selecting Manage MFA Device under Security Status and following the instructions:

AWS: Enabling Root MFA

Activating IAM User’s MFA

Once Root account is secured we can start assigning MFA devices to the accounts we need to protect. This can be done using the AWS Console, IAM’s API or IAM Command Line Toolkit (only to enable, re-sync or deactivate the device). If you plan to use Virtual devices please note that secret configuration key or its QR Code can be created only using Console while physical devices can also be paired using IAM’s API action EnableMFADevice or CLI command iam-userenablemfadevice.

AWS: Adding an MFA to IAM User
AWS: Adding an MFA to IAM User

After that IAM Users logging in will see this additional screen requesting the code generated by their MFA devices:

AWS MFA: IAM user accessing
AWS MFA: IAM user accessing

Using MFA-Protected APIs

As MFA is part of IAM we can add its use to every service that supports the Security Token Service and Temporary Security Credentials. Using the MFA-protected API access we can force users to authenticate through AWS Console (or STS) with an MFA device before they can use any API we previously specified. IAM policies can be used to selectively grant or deny access to API using as Condition token’s existence or duration. Like the other IAM policies, MFA policies can be attached to users, groups or single resources.

In S3 Security using IAM, CloudFront and Route 53 we used a policy to restrict access to an S3 bucket to SysAdmins carrying an MFA device:

...
{
"Sid": "",
"Effect": "Deny",
"Principal": { "AWS": "*"},
"Action": "s3:**",
"Resource": "arn:aws:s3:::our-company-bucket/SysAdmin/*",
"Condition": { "Null": { "aws:MultiFactorAuthAge": true } }
},
...

MFA authentication can be added to other AWS services like EC2, RDS, DynamoDB, etc. This group policy, for example, gives access to the AWS APIs to everyone in the group, while restricting RDS APIs to the ones who carry an MFA device:

{
  "Statement": [
    {
      "Effect": "Allow",
      "NotAction": "iam:*",
      "Resource": "*"
    },
{
      "Action":["rds:*"],
      "Effect":"Deny",
      "Resource":["*"],
      "Condition":{
        "Null":{"aws:MultiFactorAuthAge":"true"}
      }
    }
  ]
}

IAM access is denied to avoid “inopportune” changes on user policies by defining “iam:*” as “NotAction”.

Of course permission can be more granular: We can deny, for example, the permission to Stop/Terminate Instances in EC2 or Delete a DB Snapshot in RDS as in the following snippet:

...
{
      "Action":["ec2:StopInstances","ec2:TerminateInstances","rds:DeleteDBSnapshot"],
      "Effect":"Deny",
      "Resource":["*"],
      "Condition":{
        "Null":{"aws:MultiFactorAuthAge":"true"}
      }
    }
...

As we can see possible combinations are just limited by the action available on services’ correspondent APIs.

MFA on a per daily basis

Managing MFA permission on a large user base it’s not-so-difficult: All we need is to use common sense while assigning company departments or profile to IAM Groups and Users always following the least privilege principle: administratives that verify our AWS’ spending will only need Read-Only permissions, the “ec2:StopInstances” action it doesn’t even need to be considered .
Managing MFA permission can be frustrating: AWS Console does not provide very descriptive error messages when a user lacks a permission. Given the group policy at snippet number 2 (that precludes RDS Actions to users not equipped with an MFA and using a non-MFA user we’ll get this message when trying to Launch a DB Instance from the Dashboard:

AWS: Using MFAs API Programmatic access
AWS: Using MFAs API Programmatic access

Note that this user cannot even enumerate RDS resources in the Dashboard.
The following is the error we get when trying to list DB Instances with non-MFA users:

AWS: Using MFAs API Programmatic access

Re-syncs happens: Using MFA physical devices this is a frequent message. Due to it’s engineering MFA tokens need to be synced quite often as explained in the relative MFA FAQ.

AWS: Using MFAs API Programmatic access

Virtual Multi-Factor Authentication Applications were NOT created equal: AWS Virtual MFA is available only for Android smartphones, it requires Amazon’s AppStore installation and the purchase through the Amazon Store, a little clunky, isn’t it?.

Fortunately for us Google Authenticator App is way smoother, 1-click ready and available on all worth-buying smartphones.

Final thoughts

After introducing Multi Factor Authentication, we can conclude our “Introductory journey through AWS Security”. So far we get acquainted also to EC2′s AMI and RDS Best PracticesVirtual Private Cloud SecurityS3 Security using IAM, CloudFront and Route 53. We hope to have contributed in providing a clearer vision of the “big security picture” in AWS: Once properly configured, AWS environments are just secure as old on-premise ones or even better.

Resources:

Using Multi-Factor Authentication (MFA) Devices with AWS: http://docs.aws.amazon.com/…/Using_ManagingMFA.html
Limitations on IAM Entities: http://docs.aws.amazon.com/…/LimitationsOnEntities.html
MFA Devices and Your IAM-Enabled Sign-in Page: http://docs.aws.amazon.com/…/LoginPage_MFA.html

2 Responses to “AWS Security: Using Multi Factor Authentication (MFA)”

  1. geva30

    I know its off topic, but I have to ask: which tool do you use to create those beautiful diagrams?

    Reply

Post a comment


− 3 = 4