Securing Remote Access to AWS with Multi Factor Authentication

So as to follow best security practices especially for remote access, I wanted to make sure that users in respective groups needed to authenticate themselves multiple times. Below was the process I followed.

Enable SSO & Customize Portal: This was done by simply clicking enable in the SSO dashboard. I then customized my User Portal as seen in Image 1 (note this name assignment can only be done once).

Image 1

Setup the AWS SSO groups and users: I added two groups, one for production and one for development (Image 2). My Cost Optimization group already existed from prior work. I then added users to the groups (Image 3).

Image 2
Image 3

I then selected the prior permission sets used in a previous lab for the same users. In a real setting it would probably be ideal to create new permission sets depending on the size of the organization and who should have access to what.

I then assigned users to the groups as seen in Image 4 & 5 to ensure they had access with the right permissions.

Image 4
Image 5

Enable Multifactor Authentification (MFA): I went to Settings in the SSO Console, and in the MFA section I clicked Configure (Image 6). For Users should be prompted for MFA, I chose “Every time they sign in.” For Users can authenticate with these MFA types, I chose “Authenticator Apps.” For If a user does not yet have a registered MFA device, I chose “Require them to provide a one-time password sent by email to sign in.” I then saved the changes.

Image 6

I then registered the MFA devices. I like to use Google MFA on my mobile device.

Now in order to access their groups, users will be prompted to use MFA before gaining access.

Cloud, DevOps, Blockchain.