Cloud security is one of the most crucial aspects of cloud computing. Organizations deploy most of their resources on the cloud and are using a variety of cloud services. Users want to ensure that their cloud infrastructure attains maximum security. In order to do that, there are some practices related to AWS IAM MFA status which ensures secure access to your resources.
Importance of AWS IAM MFA in cloud security
In our previous blog where we discussed why it is necessary to enable MFA status at the user level, we also said that configuring AWS IAM MFA provides extra layers of security to your AWS account above your traditional system of authentication using username and password. When MFA is enabled, the user gets prompted for an extra authentication response from their registered MFA device along with the username and password. All these factors combined provide increased security to the user’s account and prevent misuse of AWS account or resources. It is highly recommended that MFA should be enabled on all AWS accounts in use.
How Centilytics helps you manage your MFA configuration?
Centilytics provides a dedicated insight into the MFA status of your AWS accounts and lists down both types of accounts – which have MFA enabled as well as those which do not have MFA enabled so that you can take required actions to secure your AWS account.
There can be 3 possible scenarios:
|OK||This will be displayed alongside those accounts which have hardware MFA enabled. Hardware MFA means that the user has associated a hardware device with its AWS account which helps in authenticating the user and further adds a layer of security. This associated hardware device generates a six-digit number code based on a time-synchronized OTP (one-time password) algorithm. The user has to provide with the correct code received from the device on another webpage in order to achieve successful authentication and sign in into the account.|
|WARNING||This will be displayed alongside those accounts which have virtual MFA enabled. Virtual MFA means that an application will be installed on your device (smartphone, desktop, tablet). This will supply a second authenticating factor for successful authorization of the user to AWS.|
|CRITICAL||This will be displayed alongside those accounts which do not have AWS IAM MFA enabled.|
Description of further columns are as follows:
- Account Id: Shows the respective account ID of the user’s account.
2. Account Name: Shows corresponding account name to the user’s account.
|Account Id||Applying the account Id filter will display data for the selected account Id.|
|Compliance||Applying the compliance filter will display only those security checks which fall under the selected compliance.|
|Severity||Applying severity filter will display resources according to the selected severity type i.e. selecting critical will display all resources with critical severity. Same will be the case for warning and ok severity types|
|Resource Tags||Applying resource tags filter will display those resources which have been assigned the selected resource tag. For e.g., A user has tagged some public snapshots by a resource tag named environment. Then selecting an environment from the resource tags filter will display all those resources tagged by the tag name environment.|
|Resource Tags Value||Applying resource tags value filter will display data which will have the selected resource tag value. For e.g. – Let’s say a user has tagged some resource by a tag named environment and has a value say production (environment: production). Hence, the user can view data of all the resources which are tagged as “environment:production”. The user can use the tag value filter only when a tag name has been provided.|
|Compliance Name||Reference No.||Link|
|ISO 27001||A.6.2.2, A.9.1.2, A.9.2.3, A.9.3.1, A.9.4.2
|NIST 800-53||IA-2, IA-3, IA-4, IA-5, IA-7,SC-12||https://docs.aws.amazon.com/