11 April,19 at 11:51 AM
Background
In a previous entry, I wrote an article titled "A Playbook to secure your Amazon AWS Infrastructure using Centrify and Active Directory" and I described the use of Centrify Identity Platform and Active Directory to implement enhanced security controls to protect AWS deployments.
In this first part, we'll address how to secure the AWS Root Account. Amazon suggests protecting the root account with Multi-Factor Authentication, however, in this article I'm describing a strategy to not only meet but exceed the requirements to protect this account.
Enhanced Objectives
The Value of Centrify Identity Service
Centrify Identity Service provides a powerful policy engine that allows for the implementation of these controls, not only for the Amazon AWS app, but for any web application that has a user/password authentication pattern and uses a shared account.
As customary, we'll use the Plan-Do-Check-Adjust methodology.
Planning
Role-Based Access Control
- Should the application always be accessible by a limited group of users?
- Should application access be governed by AD group membership or Centrify Role?
Should the application be accessible to nobody and only requested on demand?
- Who will approve the application access request?
Additional Controls
An example
Access Control will be controlled by AD group membership (e.g. AWS-Root-Users); ad-hoc access will be controlled via workflow. The app will be accessible with a step-up mechanism. The approvers will be an AD group called AWS-Root-Approvers.
Technical Requirements
Implementation
Access Control Building-Blocks
Create the AD Groups
- AWS-Root-Users: add the permanently authorized users.
- AWS-Root-App-Approvers: add a set of users that will approve access requests (ideally not the same as above to enforce separation of duties)
Create the AWS Root Role
Members of this role will have permanent access to the AWS Console as root. This is controlled by AD group membership.
Create the AWS Root Approvers Role
Members of this role will be able to approve who gets to access this app. This is controlled by AD group membership.
Configuration in Identity Service
Add and Configure the AWS User/Password App
Verification
At this point you can sign-in to Centrify Identity Service with any user in the AWS Root CIS role or an access request can be triggered via the "Add Apps" menu of the User portal.
Adjustments
Limiting Access only from the Corporate Network
This is desirable if you want to make sure users can only access the AWS console from the on-premises corporate network. The planning steps imply the addition of corporate subnets or IP addresses that are translated via NAT for outbound internet connectivity to the Centrify Identity Service Settings and using the Policy tab of the AWS Root App to enforce these controls.
Adding Multifactor Authentication or Other Controls
MFA is built-in to Centrify Identity Service. All you need to do is check the box, and provided there's an authentication profile that will support the step-up methods you will be set.
Enhancements of CIS 2016.2
Amazon AWS provides an virtual MFA capability that leverages OATH. As of February 2016, Centrify allows you to use any OATH based OTP mechanisms, this means that you can leverage those mechanisms as well.
Video Playlist
Related Articles
Part I: Securing AWS Series Overview
Part II: Securing the Amazon AWS Root Account with Centrify Identity Service and Active Directory
Part III: Securing Amazon IAM using Centrify Identity Service and Active Directory
Part IV: Securing AWS EC2 Linux instances with Centrify Server Suite and Active Directory
Part V: Securing AWS EC2 Session Access (Jumpbox) and Passwords using Centrify Privilege Service