Protecting the management account for cloud services can be one of the most critical security points of a cloud-based solution. Arguably, the account is more important than instance and operating system security for cloud workloads. Amazon Web services (AWS) has recently introduced a new feature, Amazon Web services multi-factor authentication (AWS-MFA), to allow more secure account access.
With AWS-MFA enabled on an AWS account, access to the services are now required to use two-factor authentication. The first factor is the standard e-mail address and password for the AWS account, and the second factor is a six-digit code displayed on a token device. The token device currently available for AWS integration is a Gemalto device. The six-digit code is time expired and is placed with the standard AWS credentials for access to account functions. Figure A shows a Gemalto token device:
Click image to enlarge.
AWS account holders can choose to enable the token device, and once they do, their account is presented with the second authentication factor. Figure B shows this in use:
In typical AWS fashion, enabling the AWS-MFA feature is very easy for the account and quite affordable. The Gemalto token device is available for $12.99, including shipping for U.S. addresses. Further, there is no additional costs or pricing required to use the device once it is enabled on the AWS account. Many of the interface documents for AWS services have been updated near this feature’s releases, as well as other new features such as the Amazon Virtual Private Cloud (Amazon VPC).