SEC02-BP01 Use strong sign-in mechanisms

Enforce minimum password length, and educate your users to avoid common or reused passwords. Enforce multi-factor authentication (MFA) with software or hardware mechanisms to provide an additional layer of verification. For example, when using IAM Identity Center as the identity source, configure the “context-aware” or “always-on” setting for MFA, and allow users to enroll their own MFA devices to accelerate adoption. When using an external identity provider (IdP), configure your IdP for MFA.

Level of risk exposed if this best practice is not established: High

Implementation guidance

Create an AWS Identity and Access Management (IAM) policy to enforce MFA sign-in: Create a customer-managed IAM policy that prohibits all IAM actions except for the ones that allow a user to assume roles, change their own credentials, and manage their MFA devices on the My Security Credentials page.
Enable MFA in your identity provider: Enable MFA in the identity provider or single sign-on service, such as AWS IAM Identity Center, that you use.
Configure a strong password policy: Configure a strong password policy in IAM and federated identity systems to help protect against brute-force attacks.

Rotate credentials regularly: Ensure administrators of your workload change their passwords and access keys (if used) regularly.

Resources

Related documents:

Related videos:

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

SEC 2 How do you manage authentication for people and machines?

SEC02-BP02 Use temporary credentials