SEC02-BP01 Use strong sign-in mechanisms
Sign-ins (authentication using sign-in credentials) can present risks when not using mechanisms like multi-factor authentication (MFA), especially in situations where sign-in credentials have been inadvertently disclosed or are easily guessed. Use strong sign-in mechanisms to reduce these risks by requiring MFA and strong password policies.
Desired outcome: Reduce the risks of unintended access to credentials in AWS by using strong sign-in mechanisms for AWS Identity and Access Management (IAM)
Common anti-patterns:
-
Not enforcing a strong password policy for your identities including complex passwords and MFA.
-
Sharing the same credentials among different users.
-
Not using detective controls for suspicious sign-ins.
Level of risk exposed if this best practice is not established: High
Implementation guidance
There are many ways for human identities to sign-in to AWS. It is an AWS best practice to rely on a centralized identity provider using federation (direct federation or using AWS IAM Identity Center) when authenticating to AWS. In that case, you should establish a secure sign-in process with your identity provider or Microsoft Active Directory.
When you first open an AWS account, you begin with an AWS account root user. You should only use the account root user to set up access for your users (and for tasks that require the root user). It’s important to turn on MFA for the account root user immediately after opening your AWS account and to secure the root user using the AWS best practice guide.
If you create users in AWS IAM Identity Center, then secure the sign-in process in that service. For consumer identities, you can use Amazon Cognito user pools and secure the sign-in process in that service, or by using one of the identity providers that Amazon Cognito user pools supports.
If you are using AWS Identity and Access Management (IAM)
Regardless of the sign-in method, it’s critical to enforce a strong sign-in policy.
Implementation steps
The following are general strong sign-in recommendations. The actual settings you configure should be set by your company policy or use a standard like NIST 800-63
-
Require MFA. It’s an IAM best practice to require MFA for human identities and workloads. Turning on MFA provides an additional layer of security requiring that users provide sign-in credentials and a one-time password (OTP) or a cryptographically verified and generated string from a hardware device.
-
Enforce a minimum password length, which is a primary factor in password strength.
-
Enforce password complexity to make passwords more difficult to guess.
-
Allow users to change their own passwords.
-
Create individual identities instead of shared credentials. By creating individual identities, you can give each user a unique set of security credentials. Individual users provide the ability to audit each user’s activity.
IAM Identity Center recommendations:
-
IAM Identity Center provides a predefined password policy when using the default directory that establishes password length, complexity, and reuse requirements.
-
Turn on MFA and configure the context-aware or always-on setting for MFA when the identity source is the default directory, AWS Managed Microsoft AD, or AD Connector.
-
Allow users to register their own MFA devices.
Amazon Cognito user pools directory recommendations:
-
Configure the Password strength settings.
-
Require MFA for users.
-
Use the Amazon Cognito user pools advanced security settings for features like adaptive authentication which can block suspicious sign-ins.
IAM user recommendations:
-
Ideally you are using IAM Identity Center or direct federation. However, you might have the need for IAM users. In that case, set a password policy for IAM users. You can use the password policy to define requirements such as minimum length or whether the password requires non-alphabetic characters.
-
Create an IAM policy to enforce MFA sign-in so that users are allowed to manage their own passwords and MFA devices.
Resources
Related best practices:
Related documents:
Related videos: