5) IAM MFA Overview(IAM Password Policy)- AWS Certified Solutions Architect Associate Course SAA-C02- Now that we have created users and groups, it is time for us to protect these users and groups from being compromised.

• So for this we have two defense mechanisms.
• The first one is to define what’s called a Password Policy.
• Why?
• Well’ because the stronger the password you use
• the more security for your accounts.
• So in AWS, you can set up a password policy.
• with different options.
• The first one is you can set a minimum password length.
• and you can require specific character types,
• for example, you may want to have an uppercase letter,
• lowercase letter, number, non-alphanumeric characters,
• for example a questions mark and so on.
• Then you can allow or not,
• IAM users to change their own passwords
• or you can require users to change their password.,
• after some time, to make your password expired,
• for example, to say every 90 days, users have to change their passwords.
• Finally, you can also prevent password reuse.
• so that users when they change their passwords,
• dont change it to the one they already have
• or change it to the one they had before.
• So this is great, a password policy, really is helpful,
• against brute force attacks on your accounts.
• But there’s a second defense mechanism.
• that you need to know, going into the exam,

Multi Factor Authentication- MFA

• and this is the Multi Factor Authentication or MFA.
• It is possible you already to use it, on some websites.
• but on AWS it’s a must and it’s very recommended to use it.
• So, users have access to your account,
• and they can possibly do a lot of things,
• especially if they’re, administrators,
• they can change configuration, delete resources.
• and other things.
• So you absolutely want to protect at least
• your Root Accounts and hopefully all your IAM users.
• so how do you protect them on top of the password?
• Well, you use an MFA device.
• So what is MFA?
• MFA is using the combination of a password that you know,
• and a security device that you own.
• and these two things together,
• have a much greater security than just a password.
• So for example, let us take Alice.

• Alice Knows her password,
• but she also has an MFA Generating token.
• and by using these things together while logging in,
• she is going to be able to do a successful login on MFA.
• so the benefit of MFA is that even if Alice
• has lost her password, because it’s stolen or it’s hacked,
• the account will not be compromised because the hacker,
• will need to also get a hold of the physical device.
• of Alice that could be a phone for example to do a login.

MFA Devices Options in AWS

• Obviously, that is much less likely.
• So what are the MFA devices option in AWS
• and you should know them going to the exam.
• but don’t worry they’re quite simple.
• The first one is a Virtual MFA device,

• this is what we’ll be using in the hands on
• and so you can use Google Authenticator,
• which is just working on one phone at a time,
• or using Authy which is multi-device
• They both work the same except one is multi-device.
• And personally I use Authy because I like the fact that
• I can use it on my computer and on my phones.

• So, for Authy you have support
• for multiple tokens on a single device.
• So, that means that with a Virtual MFA device,
• you can have your root account, your IAM user,
• and another account, and another IAM user,
• its up to you, you can have as many users
• and accounts as you want on your Virtual MFA device,
• which make it a very easy solution to use.

• Now we have another thing called
• a universal 2nd Factor or U2F Security Key,
• and that is a physical device, for example,
• a YubiKey by Yubico and Yubico is a a 3rd party to AWS,
• this is not the AWS that provided, this is a 3rd party
• and we use a physical device,
• because maybe it’s super easy, you put it your Key fobs
• and you’re good to go.
• So this YubiKey supports multiple root and IAM users
• using a single security so you don’t need as many keys
• as users otherwise that will be a nightmare.
• Then your other options,

• you have a hardware key Fob MFA device
• for example this one provided by Gemalto
• which is also a third party to AWS
• and finally, if you are using the cloud of the government.

• in the US, The AWS GovCloud then you have a special Key Fob,
• That looks like this, that is provided by SurePassID
• which is also a 3rd party.
• So that’s it, we’ve seen the theory
• on how to protect your account.
• but let’s go the next lecture to implement that.
• So I will see you in the next lecture.