Multi-factor authentication - AWS Prescriptive Guidance

Multi-factor authentication

Essential Eight control	Implementation guidance	AWS resources	AWS Well-Architected guidance
Multi-factor authentication is used by an organisation's users if they authenticate to their organisation's internet-facing services.	Theme 4: Manage identities: Implement identity federation	Require human users to federate with an identity provider to access AWS by using temporary credentials Implement temporary elevated access to your AWS environments	SEC02-BP04 Rely on a centralized identity provider
	Theme 4: Manage identities: Enforce MFA	Require MFA for the root user Require MFA through AWS IAM Identity Center Consider requiring MFA to service-specific API actions	SEC02-BP01 Use strong sign-in mechanisms
Multi-factor authentication is used by an organisation's users if they authenticate to third-party internet-facing services that process, store or communicate their organisation's sensitive data.	See Implementing Multi-Factor Authentication (ACSC website)	Not applicable	Not applicable
Multi-factor authentication (where available) is used by an organisation's users if they authenticate to third-party internet-facing services that process, store or communicate their organisation's non-sensitive data.
Multi-factor authentication is enabled by default for non-organisational users (but users can choose to opt out) if they authenticate to an organisation's internet-facing services.
Multi-factor authentication is used to authenticate privileged users of systems.	Theme 4: Manage identities: Implement identity federation	Require human users to federate with an identity provider to access AWS by using temporary credentials Implement temporary elevated access to your AWS environments	SEC02-BP04 Rely on a centralized identity provider
	Theme 4: Manage identities: Enforce MFA	Require MFA for the root user Require MFA through IAM Identity Center Consider requiring MFA to service-specific API actions	SEC02-BP01 Use strong sign-in mechanisms
Multi-factor authentication is used to authenticate users accessing important data repositories.	Theme 4: Manage identities: Enforce MFA	Consider requiring MFA to service-specific API actions	SEC02-BP01 Use strong sign-in mechanisms
Multi-factor authentication is verifier impersonation resistant and uses either: something users have and something users know, or something users have that is unlocked by something users know or are.	See Implementing Multi-Factor Authentication (ACSC website)	Not applicable	Not applicable
Successful and unsuccessful multi-factor authentications are centrally logged and protected from unauthorised modification and deletion, monitored for signs of compromise, and actioned when cyber security events are detected.	Theme 7: Centralise logging and monitoring: Enable logging Theme 7: Centralise logging and monitoring: Centralise logs	Centralise CloudWatch Logs in an account for auditing and analysis (AWS blog post) Centralize management of Amazon Inspector Centralise management of Security Hub Create an organisation-wide aggregator in AWS Config (AWS blog post) Centralise management of GuardDuty Consider using Security Lake Receive CloudTrail logs from multiple accounts Send logs to a log archive account	SEC04-BP01 Configure service and application logging SEC04-BP02 Capture logs, findings, and metrics in standardized locations

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Patch operating systems

Regular backups