5) IAM MFA Overview(IAM Password Policy)- AWS Certified Solutions Architect Associate Course SAA-C02- Section 1: IAM & AWS CLI

BySai Charan Paloju

Jul 26, 2022 , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

5) IAM MFA Overview(IAM Password Policy)- AWS Certified Solutions Architect Associate Course SAA-C02- Now that we have created users and groups, it is time for us to protect these users and groups from being compromised.

  • So for this we have two defense mechanisms.
  • The first one is to define what’s called a Password Policy.
  • Why?
  • Well’ because the stronger the password you use
  • the more security for your accounts.
  • So in AWS, you can set up a password policy.
  • with different options.
  • The first one is you can set a minimum password length.
  • and you can require specific character types,
  • for example, you may want to have an uppercase letter,
  • lowercase letter, number, non-alphanumeric characters,
  • for example a questions mark and so on.
  • Then you can allow or not,
  • IAM users to change their own passwords
  • or you can require users to change their password.,
  • after some time, to make your password expired,
  • for example, to say every 90 days, users have to change their passwords.
  • Finally, you can also prevent password reuse.
  • so that users when they change their passwords,
  • dont change it to the one they already have
  • or change it to the one they had before.
  • So this is great, a password policy, really is helpful,
  • against brute force attacks on your accounts.
  • But there’s a second defense mechanism.
  • that you need to know, going into the exam,

Multi Factor Authentication- MFA

  • and this is the Multi Factor Authentication or MFA.
  • It is possible you already to use it, on some websites.
  • but on AWS it’s a must and it’s very recommended to use it.
  • So, users have access to your account,
  • and they can possibly do a lot of things,
  • especially if they’re, administrators,
  • they can change configuration, delete resources.
  • and other things.
  • So you absolutely want to protect at least
  • your Root Accounts and hopefully all your IAM users.
  • so how do you protect them on top of the password?
  • Well, you use an MFA device.
  • So what is MFA?
  • MFA is using the combination of a password that you know,
  • and a security device that you own.
  • and these two things together,
  • have a much greater security than just a password.
  • So for example, let us take Alice.

  • Alice Knows her password,
  • but she also has an MFA Generating token.
  • and by using these things together while logging in,
  • she is going to be able to do a successful login on MFA.
  • so the benefit of MFA is that even if Alice
  • has lost her password, because it’s stolen or it’s hacked,
  • the account will not be compromised because the hacker,
  • will need to also get a hold of the physical device.
  • of Alice that could be a phone for example to do a login.

MFA Devices Options in AWS

  • Obviously, that is much less likely.
  • So what are the MFA devices option in AWS
  • and you should know them going to the exam.
  • but don’t worry they’re quite simple.
  • The first one is a Virtual MFA device,

 

  • this is what we’ll be using in the hands on
  • and so you can use Google Authenticator,
  • which is just working on one phone at a time,
  • or using Authy which is multi-device
  • They both work the same except one is multi-device.
  • And personally I use Authy because I like the fact that
  • I can use it on my computer and on my phones.

 

  • So, for Authy you have support
  • for multiple tokens on a single device.
  • So, that means that with a Virtual MFA device,
  • you can have your root account, your IAM user,
  • and another account, and another IAM user,
  • its up to you, you can have as many users
  • and accounts as you want on your Virtual MFA device,
  • which make it a very easy solution to use.

 

  • Now we have another thing called
  • a universal 2nd Factor or U2F Security Key,
  • and that is a physical device, for example,
  • a YubiKey by Yubico and Yubico is a a 3rd party to AWS,
  • this is not the AWS that provided, this is a 3rd party
  • and we use a physical device,
  • because maybe it’s super easy, you put it your Key fobs
  • and you’re good to go.
  • So this YubiKey supports multiple root and IAM users
  • using a single security so you don’t need as many keys
  • as users otherwise that will be a nightmare.
  • Then your other options,

 

  • you have a hardware key Fob MFA device
  • for example this one provided by Gemalto
  • which is also a third party to AWS
  • and finally, if you are using the cloud of the government.

  • in the US, The AWS GovCloud then you have a special Key Fob,
  • That looks like this, that is provided by SurePassID
  • which is also a 3rd party.
  • So that’s it, we’ve seen the theory
  • on how to protect your account.
  • but let’s go the next lecture to implement that.
  • So I will see you in the next lecture.

 

 

By Sai Charan Paloju

Trained AWS Certified Solutions Architect Associate Course SAA-C02/Content Writer/Creator, Masters Degree- Software Engineering, Bachelors Degree- Computer Science & Engineering, Youtuber- Host/Interviewer/Content Creator/Video Editor, Podcaster- Host/Interviewer/Content Creator/Editor, Technical Writer, Social Media Manager/Influencer Ex-Professional Cricketer mailme@smartcherrysthoughts.com https://smartcherrysthoughts.com/

Leave a Reply

Your email address will not be published. Required fields are marked *