The organizational design of the IT department in most firms was based on the ‘not invented here’...
MFA Device for AWS Account Root Users
Every list of AWS security best practices will tell you to add a second authentication factor to your AWS account root user, and it is good advice, but how exactly should one do that? In this article, we'll provide some concrete guidance on managing hardware authentication devices and how your procedures will change to account for them.
Specifically, we will focus on adding MFA to a corporate AWS account. The requirements for a corporate account are different than for a personal account, because we need to account for multiple administrators and the possibility of one leaving the company.
MFA? 2FA? Which one do I need?
First, let's understand what is meant by MFA/2FA and why it's a best practice to add it to your AWS account root user. A "factor" of authentication is a piece of evidence that a user is who he claims to be. The more evidence (factors) provided, the more confidence can be had in the identity of the person authenticating. There are three general categories of authentication factors:
- Knowledge - something you know (e.g., password, passphrase, etc.)
- Possession - something you have (e.g., mobile phone, hardware token, key, etc.)
- Inherence - something naturally inseparable from you (e.g., fingerprint, retinal scan, facial recognition, etc.)
A simple authentication system using only a user name and password would be using just one factor of authentication: knowledge. When you add another factor, such as a hardware token, then you have 2-factor authentication, or 2FA. Multi-factor authentication, or MFA, broadly describes any system that authenticates with more than one factor, so it includes 2FA. Most of the time, MFA and 2FA can be used interchangeably, but MFA could refer to a system with 3 or more factors of authentication.
Which MFA devices does AWS support?
AWS supports three types of MFA devices:
- Virtual MFA devices - these are smartphone applications that allow your phone to be used as a possession factor. The following apps are supported: Authy, Duo Mobile, LastPass Authenticator, Microsoft Authenticator, Google Authenticator, and Symantec VIP.
- U2F/FIDO security key - this is a small physical device that plugs into a USB port and is uniquely registered with AWS as the possession factor for the account.
- Hardware MFA device - these are physical devices, in the form of a key fob or wallet card, that display a 6-digit code that changes every few seconds.
We recommend the YubiKey U2F/FIDO devices available from Yubico for these reasons:
- Virtual MFA devices are not a good choice for a corporate root user, because they are tied to an individual's smartphone.
- The hardware devices with a display are targets for at-a-glance code theft, social engineering, and phishing attacks. In other words, it is possible that the code be used by someone who does not possess the key.
- The YubiKey devices are only usable by a person who is physically holding the key.
- YubiKey devices are very affordable, durable, and consumer-friendly.
Which device should I buy?
Yubico makes a lot of different devices for different use cases. Our use case is for a shared root user on a corporate account. This device is not going to hang from your key chain or be stashed in your laptop bag, but should be locked in a vault. Here are some factors to keep in mind when choosing a device:
- Avoid anything with NFC in the name. These use the wireless Near Field Communications protocol and could be subject to wireless attacks. Those are good options for authenticating on a smartphone, but not for our use case.
- Avoid the Security Key Series. These are also NFC enabled, even though it's not in the name.
- Avoid the Bio Series. These require a fingerprint to use and that will not work as a shared key between multiple users.
- Avoid the YubiHSM products. These are hardware security modules, not U2F/FIDO security keys.
- Avoid anything with Nano in the name. These are so small you could lose them if they are not attached to something larger, like your car keys. The larger size is an advantage for our use case.
- The YubiKey 5Ci and 5Ci FIPS have an Apple lightning connector to use with an iPhone or iPad. We probably don't need that.
These are all great products, but they are not a good fit for our use case. That just leaves us with just two models to choose from:
- YubiKey 5C
- YubiKey 5C FIPS
If your environment requires FIPS 140-2 compliance, choose the YubiKey 5C FIPS. If not, choose the YubiKey 5C. The FIPS-certified devices are about 40% more expensive than their non-FIPS counterparts.
How many should I buy?
There are a few things to consider in answering this question. First, if your intention is to buy multiple, duplicate keys and distribute them, say to different officers of the company, that can't be done. Every YubiKey is unique, and only one can be registered with your AWS root user account.
Since there is no way have redundant or backup keys, you really only need to buy one. You can use the same key for multiple AWS accounts. If your key is lost, stolen, damaged or destroyed, it can be replaced by an account administrator who has access to the root user mailbox.
If you are operating a large number of AWS accounts, there could be a "blast radius" concern here. In the event that a key was lost, stolen, damaged, or destroyed you could save yourself some work if you had multiple keys, each associated with some subset of accounts. You would be able to replace the lost key on just those accounts that were associated with it, and not have to touch the rest. That said, if you're storing all the keys in the same vault, they will likely all be lost, stolen, or destroyed together.
What do I do with it?
First of all, remember that the root user should not be used for day-to-day operations. You should create at least one administrative user for regular access to the account. The root account should only be used during the initial account setup, and only for special or emergency situations after that.
Second, your account root user email address should never be associated with an individual, but should be a shared or group mailbox. Ideally you would have at least two users with access to the root user. Since these email addresses must be globally unique, meaning no two AWS accounts can use the same email, we recommend using plus addressing to produce multiple, unique email addresses for the same mailbox. For example, you might use addresses like these for multiple accounts: firstname.lastname@example.org, email@example.com. The account root user email address can be changed by following these instructions if needed.
Now you're ready to enable MFA for the root user. You will need to log in as the root user to perform these steps. If the account was created using AWS Control Tower, there are a few extra steps to gain access as the root user.
After that, the MFA device should be locked in a vault or other secure location that is accessible by at least two of your AWS administrators.
For small companies, this may not be an option. It may be that you have one administrator who keeps the key in his sock drawer. What do you do if your administrator wins the lottery and refuses to come back to work? As long as you have access to the root user email account, you can still access the root account, following these instructions: What to do if your MFA device is lost or damaged.
To summarize, follow these steps to enable MFA for a corporate AWS account root user:
- Buy a Yubikey 5C.
- Make sure your root user email is a shared mailbox.
- Enable MFA for your AWS account root user.
- Lock the MFA device in a vault.
- Follow these instructions if it is lost, stolen, damaged, or destroyed.
In this article, we have covered the basics of multi-factor authentication, which devices work best for a corporate AWS account, and procedures for replacing a lost or damaged MFA device. We hope this has been helpful for anyone wishing to improve the security of their AWS account. Please share any comments or questions below.