Total Pageviews

Translate

August 20, 2019

AWS Security Automation - MFA Compliance - Part 1

by 4hathacker  |  in AWS SecOps at  3:35 PM

Hi folks!!!

Its quite a long time, I haven't posted here. My bad, I was busy studying about current technology trends in Cloud, DevOps and Security. Well now I am here and let's see, what's next!!!

In this post, we will discuss about how to enable MFA in AWS account and will proceed with this to automate the audit for non-MFA users with the help of some AWS services.



MFA stands for Multi-Factor Authentication. Authentication refers to the process of verification of a user or identity. Its the very first process to be done while providing access to any identity - a user or a group of users, to any IT environment. 

Formal Definition for MFA can be provided as:
Authentication using two or more different factors to achieve authentication. Factors include: (i) something you know (e.g., password/PIN); (ii) something you have (e.g., cryptographic identification device, token); or (iii) something you are (e.g., biometric). See Authenticator(Source: NIST SP 800-53 Rev. 4 under Multifactor Authentication)

Most of the companies require to follow some compliance requirements to work with data securely. For example, NIST SP 800-171 or just 800-171 is a codification of the requirements that any non-Federal computer system must follow in order to store, process, or transmit Controlled Unclassified Information (CUI) or provide security protection for such systems. This document is based on the Federal Information Security Management Act of 2002 (FISMA) Moderate level requirements.

When you cut through the hype for MFA products, there are generally two ways to incorporate MFA:
Out-of-Band (OAB) (e.g., accept an alert on an app on your phone, receive a call or text message with a One-Time Password (OTP))
Cryptographic Token (e.g., digital certificate, keyfob, USB)
When it comes down to IT, a company may have to incorporate more than one type of MFA to comply with NIST 800-171, since many businesses operate in a hybrid environment where some of their data is stored locally and some is hosted in the cloud. 
Coming back to Cloud Service Providers (CSPs), most of them are already compliant with this. Talking about my favorite, AWS is already compliant with these guidelines (refer here), and customers can effectively comply with NIST 800-171 immediately. NIST 800-171 outlines a subset of the NIST 800-53 requirements, a guideline under which AWS has already been audited under the FedRAMP program

Also, According to CIS Amazon Web Services Foundations Benchmark v1.2.0 - 05-23-2018, it is recommended to ensure MFA for all IAM users that have console password enabled. So, its pretty clear that MFA Compliance is the need of hour!!!
Let us see how to enable MFA in AWS for IAM users with AWS Console.

1. Go to AWS Console, search for "IAM" in "Services" drop down.

2. In the IAM Console, you can see the users with different attributes like User name, Groups, Access Key age, Password age, Last Activity, MFA, etc. Below the MFA tab, you can see all users if enabled with "Virtual" MFA setting like Google Auth or WinAuth and also the users with "Not enabled".



3. To enable MFA for users "Not enabled", click on the username of the identity.



4. In User Summary, you can check the status for "Assigned MFA Device". You will see it as "Not assigned" for non MFA authenticated users.

5. Click "Manage" inline with "Assigned MFA device" and a pop up will appear with 3 types of MFA options viz. Virtual MFA, U2F security key or Other hardware MFA device.



6. You can download the Google Authenticator over your mobile device and here proceed with "Virtual MFA device". Hit "Continue" then.


7. A new pop-up window will appear titled as "Set up virtual MFA device". Hit "Show QR code"  and scan the same after hitting "+" symbol in your Google Authenticator Mobile App.


8. Type two consecutive MFA codes for the same user appearing in the mobile app and hit "Assign MFA". (Hidden QR code here behind the red box)



9.  You will see a message that MFA is assigned.



10. Cross check the same in Summary section of your IAM user identity inline "Assigned MFA device".



This procedure can also be done with the help of aws-cli commands. I urge every AWS user to follow this as the first primary security recommendation in an AWS account for a compliant work environment.

In this post, we have seen how the baseline for a security compliance is setup using MFA in AWS. In the upcoming post, we will see how we can measure NON-COMPLIANCE with this baseline, how to report and then re-mediate the same with the help of AWS Lambda.

0 comments:

Like Our Facebook Page

Nitin Sharma's DEV Profile
Proudly Designed by 4hathacker.