Multi-Factor Authentication for a Bastion Host on AWS
This article will show you how to add multi-factor authentication for a bastion host on AWS. AWS bastion hosts provide secure remote access to instances in your VPC
AWS bastion host
A bastion host is a publicly accessible computer that provides access to internal networks. You can configure the bastion host with multi-factor authentication (MFA) requirements for remote connections using your AWS infrastructures, such as VPN or Direct Connect connections.
A Virtual Private Cloud (VPC) is an isolated network environment in AWS where you have complete control over the virtual networking environment, including a selection of your own IP address range, creation of subnets, and configuration of route tables.
VPC is AWS’s virtual private cloud where you can configure security groups to manage firewall rules for the instances in a specific VPN.
To add multi-factor authentication (MFA) requirements for remote connections using AWS infrastructures. AWS provides two options for MFA: self-service and managed.
The self-service approach is simple and easy by allowing you to use any device, but AWS bastion host acts as a single point of failure which means if someone was able to compromise your MFA solution then they could potentially gain access to everything you have configured with AWS bastion host and MFA. Self-service MFA requires the user to authenticate via a third-party solution like Duo, Nexmo, Google Authenticator.
AWS-managed multi-factor authentication ensures that the users are authenticated by an AWS-managed MFA service like Okta, RSA SecurID, etc. AWS provides full control over the whole process and removes any single point of failure by allowing you to select your own provider and integrate it with AWS infrastructures.
Secure instances with multi-factor authentication
MFA in AWS can be achieved by following these steps:
Step one: Create a security group for your AWS bastions or use an existing one.
Step two: Add AWS bastions as an inbound rule to the security group(s) you created.
Step three: Create a role for your AWS bastion host and attach it with a minimum set of permissions required by AWS-managed MFA service provider like Okta, RSA SecurID, etc.
Step four: Attach AWS-managed MFA policy to the role created in step three.
Step five: Create a user or use an existing one and attach an AWS-managed MFA policy to that user.
Step six: Ensure AWS bastion host is the only instance in VPC with a public IP address and add AWS managed MFA service account credentials as an authorized key for root user of your AWS bastion hosts
Step seven: Attach AWS bastion host security group
Step eight: Create a non ssh port in your AWS bastion host and add AWS managed MFA service account credentials as authorized key for the root user of AWS bastion hosts.
Step nine: Attach AWS-managed multi-factor authentication (MFA) solution provider’s service account to AWS bastion host security group.
Step ten: Add AWS bastion host security group to the VPC security groups.
Step eleven: Create a key pair for AWS bastion hosts and add AWS managed MFA service account as authorized users on that keypair.
Step twelve: Ensure your AWS-managed MFA solution provider is configured with AWS hosted zone id, AWS managed MFA solution provider’s api key, AWS-managed MFA solution provider’s tenant id.
Step thirteen: Test AWS-managed MFA by logging into your AWS infrastructures from a bastion host using an AWS-managed MFA solution.
Step fourteen: Once you have confirmed AWS-managed MFA is working, remove the AWS bastion hosts security group from VPC security groups.
What is multi-factor authentication?
Multi-factor authentication is a security process in which the user provides two or more of the following types of credentials: something you know, such as a password or PIN; something you have, such as an ATM card or other token device, and/or something that you are, such as your fingerprint.
Multi-factor authentication increases the security of user authentication by requiring something extra in addition to a username and password from the user.
What are some benefits of AWS?
AWS provides a pay-as-you-use model and reduces the time to market for your product. AWS is an open environment that helps you reduce costs and improve agility as well as security. AWS MFA protects access to AWS management console, API calls, SDK interactions, command-line tools like terraform, AWS-CLI. AWS provides an easy way to manage your infrastructure with a lot of features related to it like tagging, monitoring, and more.
AWS can be used for any type of application, work-related or personal. AWS is a set of services that helps you deploy and scale applications in the cloud. AWS provides security features to secure your infrastructure at multiple layers from physical to logical access controls with MFA being an important part of it these days. AWS provides a set of managed MFA solutions that you can use with AWS services and applications. AWS offers self-service as well as managed MFA which is an important part of AWS security guidelines.