Use strong sign-in mechanisms

PostedNovember 27, 2024

UpdatedMarch 21, 2025

ByKevin McCaffrey

Managing identities effectively is crucial to securing AWS workloads. By implementing strong sign-in mechanisms, you can significantly reduce risks associated with unauthorized access and data breaches, ensuring that only authenticated users and machines interact with your resources.

Best Practices

Implement Multi-Factor Authentication (MFA)

Enable MFA for all IAM users, especially for those with elevated privileges, to add an extra layer of security beyond just a password. Implementing MFA helps to ensure that even if sign-in credentials are compromised, unauthorized access can still be mitigated. Utilize hardware tokens, virtual MFA apps, or SMS-based MFA as options for users.

Enforce Strong Password Policies

Require strong password policies that enforce a minimum length and complexity (uppercase letters, numbers, and special characters). Regularly prompt users to update their passwords (e.g., every 90 days) to minimize the risk of using compromised passwords. Provide guidance and tools to help users create strong passwords safely.

Monitor and Respond to Sign-In Activity

Utilize AWS CloudTrail to log and monitor sign-in events and establish alerts for unusual activity. Set up AWS Config Rules to track compliance and deviations from set security standards regarding sign-in mechanisms. Regularly review logs to detect suspicious behavior and take timely action.

Use IAM Roles and Policies for Machine Identities

Utilize IAM roles for service applications and operational tools to assume identities rather than embedding access keys in code. This enhances security by enabling permissions to be granted dynamically and limiting the lifespan of access. Implement least privilege principles by creating specific roles with narrowly defined permissions for each application or service.

Educate Users About Security Best Practices

Conduct regular training sessions to educate administrators, developers, and end users about the importance of strong sign-in mechanisms, including how to recognize phishing attempts. Provide materials that emphasize the importance of safeguarding credentials and using MFA in their day-to-day interactions with AWS.

Questions to ask your team

Do you implement multi-factor authentication (MFA) for all human identities accessing AWS resources?
Are strong password policies enforced across all accounts, including complexity and rotation requirements?
How do you monitor for and respond to potential signs of credential compromise?
Is there a process in place to regularly review access permissions for human and machine identities?
What strategies do you employ to educate users about the importance of secure sign-in practices?

Who should be doing this?

Identity and Access Management (IAM) Administrator

Configure and manage IAM policies and roles for both human and machine identities.
Implement strong password policies and multi-factor authentication (MFA) for AWS accounts.
Regularly audit access controls and identity permissions to ensure compliance with security standards.
Provide training and best practices for users on managing sign-in credentials securely.
Monitor and respond to identity-related security incidents or anomalies.

Security Architect

Design and recommend security practices for identity management across AWS resources.
Conduct risk assessments to identify vulnerabilities related to identity and access.
Collaborate with development teams to integrate identity management solutions into applications.
Keep abreast of AWS security best practices and update strategies accordingly.
Evaluate and select third-party identity management solutions as needed.

IT Support Specialist

Assist users in managing their AWS identities and handling authentication issues.
Support users in enabling and configuring MFA on their accounts.
Respond to access requests and manage user provisioning/deprovisioning.
Educate users on secure sign-in practices and how to protect their credentials.
Document and troubleshoot identity-related incidents and user support cases.

What evidence shows this is happening in your organization?

Identity Management Policy: A comprehensive document outlining the procedures for managing human and machine identities, including guidelines for strong sign-in mechanisms, implementation of MFA, and password policies.
MFA Implementation Guide: A step-by-step guide detailing how to implement multi-factor authentication for AWS accounts, including user setup, device registration, and troubleshooting tips.
Access Control Checklist: A checklist designed to ensure that proper access controls are in place for both human and machine identities, emphasizing the need for strong sign-in mechanisms and MFA for all users.
Identity Access Management Dashboard: An operational dashboard that provides real-time visibility into user access patterns, authentication attempts, and security alerts related to identity management within AWS environments.
Security Training Plan: A training plan for staff that covers best practices for identity management, including the importance of strong sign-in methods and perfecting user awareness for security risks.

Cloud Services

AWS

AWS Identity and Access Management (IAM): IAM allows you to manage user access and permissions to AWS resources securely. It supports the implementation of strong sign-in mechanisms such as multi-factor authentication (MFA).
AWS Single Sign-On (SSO): AWS SSO enables centralized management of user access to AWS accounts and applications, supporting MFA and providing a seamless sign-in experience.
Amazon Cognito: Cognito provides user sign-up, sign-in, and access control, enabling you to implement MFA and strong password policies for both human and machine identities.

Azure

Azure Active Directory (Azure AD): Azure AD is a cloud-based identity and access management service that includes support for MFA and secure sign-in processes for users interacting with Azure resources.
Azure Active Directory B2C: Azure AD B2C enables customer identity management with robust features including MFA, allowing external users to access applications securely.

Google Cloud Platform

Google Cloud Identity: Google Cloud Identity provides identity management and enables secure sign-in capabilities, including MFA for both users and service accounts.
Google Cloud IAM: Google Cloud IAM allows you to manage access to Google Cloud resources securely, enabling MFA and fine-grained roles for secure access control.

Question: How do you manage identities for people and machines?
Pillar: Security (Code: SEC)

Operational Excellence

Determine what your priorities are

Structure your organization to support your business outcomes

Organizational culture to support your business outcomes

Implement observability in your workload

Reduce defects, ease remediation, and improve flow into production

Mitigate deployment risks

Be ready to support a workload

Uilize workload observability

Understand the health of your operations

Manage workload and operations events

Evolve your operations

Security

Securely operate your workload

Manage identities for people and machines

Manage permissions for people and machines

Detect and investigate security events

Protect your network resources

Protect your compute resources

Classify your data

Protect your data at rest

Protect your data in transit

Anticipate, respond to, and recover from incidents

Incorporate and validate the security properties of applications throughout the design, development, and deployment lifecycle

Reliability

Manage service quotas and constraints

Plan your network topology

Design your workload service architecture

Design interactions in a distributed system to prevent failures

Design interactions in a distributed system to mitigate or withstand failures

Monitor workload resources

Design your workload to adapt to changes in demand

Implement change

Back up data

Fault isolation to protect your workload

Design your workload to withstand component failures

Test reliability

Plan for disaster recovery (DR)

Cost Optimization

Implement cloud financial management

Govern usage

Monitor your cost and usage

Decommission resources

Evaluate cost when you select services

Meet cost targets when you select resource type, size and number

Use pricing models to reduce cost

Plan for data transfer charges

Manage demand, and supply resources

Evaluate new services

Evaluate the cost of effort

Performance

Select the appropriate cloud resources and architecture patterns for your workload

Select and use compute resources in your workload

Store, manage, and access data in your workload

Select and configure networking resources in your workload

Support more performance efficiency for your workload

Sustainability

Select Regions for your workload

Align cloud resources to your demand

Take advantage of software and architecture patterns to support your sustainability goals

Take advantage of data management policies and patterns to support your sustainability goals

Select and use cloud hardware and services in your architecture to support your sustainability goals

Implement organizational processes support your sustainability goals