SEC02-BP01: Use strong sign-in mechanisms

Enforce minimum password length, and educate your users to avoid common or reused passwords. Enforce multi-factor authentication (MFA) with software or hardware mechanisms to provide an additional layer of verification.

Implementation guidance

Strong sign-in mechanisms are essential for protecting your AWS environment from unauthorized access. By implementing robust authentication methods, you can significantly reduce the risk of credential compromise and unauthorized access to your AWS resources.

Key steps for implementing this best practice:

1. Implement strong password policies:
   • Enforce minimum password length (at least 12 characters)
   • Require a mix of character types (uppercase, lowercase, numbers, special characters)
   • Prevent the use of common or previously breached passwords
   • Set appropriate password expiration policies
   • Implement account lockout after multiple failed attempts
2. Enforce Multi-Factor Authentication (MFA):
   • Require MFA for all users, especially those with elevated privileges
   • Support multiple MFA options:
     • Virtual MFA (authenticator apps like AWS Virtual MFA, Google Authenticator)
     • Hardware MFA devices (YubiKey, Gemalto token)
     • FIDO security keys (U2F, WebAuthn)
   • Monitor and alert on MFA disablement
   • Consider implementing MFA for programmatic access
3. Implement contextual authentication:
   • Use conditional access policies based on:
     • User location/IP address
     • Device health and compliance
     • Time of day/unusual access times
     • Unusual access patterns
   • Require step-up authentication for sensitive operations
4. Secure root user accounts:
   • Enable MFA for all root user accounts
   • Store root user credentials securely
   • Limit the use of root user accounts to only necessary tasks
   • Monitor root user activity
5. Implement single sign-on (SSO) where appropriate:
   • Use AWS IAM Identity Center for workforce identities
   • Integrate with your existing identity provider
   • Implement just-in-time access provisioning
   • Enforce consistent authentication policies across all applications
6. Educate users on security best practices:
   • Provide training on creating and managing strong passwords
   • Explain the importance of MFA
   • Teach users to recognize phishing attempts
   • Establish clear procedures for reporting suspected security incidents

Implementation examples

Example 1: Setting up a strong IAM password policy

Code snippet hidden for website display

AWS CLI command: <!– CODE SNIPPET HIDDEN - Original content below:

aws iam update-account-password-policy \
  --minimum-password-length 14 \
  --require-symbols \
  --require-numbers \
  --require-uppercase-characters \
  --require-lowercase-characters \
  --allow-users-to-change-password \
  --max-password-age 90 \
  --password-reuse-prevention 24

CODE SNIPPET WILL BE PROVIDED SOON –>

Code snippet hidden for website display

Example 2: Enforcing MFA using Service Control Policies (SCPs)

Code snippet hidden for website display

Example 3: Setting up MFA for a user in AWS IAM

Code snippet hidden for website display

AWS services to consider

AWS Identity and Access Management (IAM)

Enables you to manage access to AWS services and resources securely. IAM supports MFA and allows you to set password policies for IAM users.

AWS IAM Identity Center

Helps you securely create or connect your workforce identities and manage their access centrally across AWS accounts and applications. Supports MFA and integrates with your existing identity provider.

AWS Organizations

Helps you centrally manage and govern your environment as you scale your AWS resources. Use Service Control Policies (SCPs) to enforce MFA across your organization.

Amazon Cognito

Provides authentication, authorization, and user management for your web and mobile apps. Supports MFA and allows you to implement adaptive authentication.

AWS CloudTrail

Records API calls for your account and delivers log files to you. Use CloudTrail to monitor sign-in activities and detect unauthorized access attempts.

Benefits of using strong sign-in mechanisms

• Reduced risk of unauthorized access: Strong authentication mechanisms make it significantly harder for attackers to gain access to your AWS environment
• Defense in depth: Multiple authentication factors provide layered security
• Compliance support: Many compliance frameworks require strong authentication mechanisms
• Improved security posture: Strengthens your overall security posture by protecting the entry point to your AWS resources
• Reduced risk of credential theft: MFA protects against attacks even if passwords are compromised
• Increased user awareness: Implementing strong authentication raises security awareness among users

Related resources

Related Resources

• AWS Well-Architected Framework - Use strong sign-in mechanisms
• Using multi-factor authentication (MFA) in AWS
• Setting an account password policy for IAM users
• How to create a custom password policy for your AWS account
• How to protect the integrity of your encrypted data by using AWS Key Management Service and EncryptionContext
• Enable MFA for AWS IAM Identity Center