SEC02-BP01 Use strong sign-in mechanisms - AWS Well-Architected Framework (2022-03-31)

SEC02-BP01 Use strong sign-in mechanisms

Enforce minimum password length, and educate your users to avoid common or reused passwords. Enforce multi-factor authentication (MFA) with software or hardware mechanisms to provide an additional layer of verification. For example, when using IAM Identity Center as the identity source, configure the “context-aware” or “always-on” setting for MFA, and allow users to enroll their own MFA devices to accelerate adoption. When using an external identity provider (IdP), configure your IdP for MFA.

Level of risk exposed if this best practice is not established: High

Implementation guidance

  • Create an AWS Identity and Access Management (IAM) policy to enforce MFA sign-in: Create a customer-managed IAM policy that prohibits all IAM actions except for the ones that allow a user to assume roles, change their own credentials, and manage their MFA devices on the My Security Credentials page.

  • Enable MFA in your identity provider: Enable MFA in the identity provider or single sign-on service, such as AWS IAM Identity Center, that you use.

  • Configure a strong password policy: Configure a strong password policy in IAM and federated identity systems to help protect against brute-force attacks.


Related documents:

Related videos: