Profile Applicability:

  • Level 1

Description:

Amazon Directory Service (DS) provides managed directory services for your AWS resources, such as Active Directory (AD). Multi-Factor Authentication (MFA) enhances security by requiring users to provide two forms of identification before gaining access to resources. RADIUS (Remote Authentication Dial-In User Service) is a protocol that can be used for MFA in AWS Directory Service. By enabling MFA using a RADIUS server, you ensure that users are required to authenticate using both their password and a second form of authentication, such as a one-time passcode (OTP) from a mobile device, before accessing AWS resources.

This SOP ensures that MFA using a RADIUS server is enabled in Amazon Directory Service to provide an additional layer of security for your AWS resources.

Rationale:

  • Enhanced Security: Enabling MFA adds a layer of protection beyond just a password, which helps to mitigate the risk of unauthorized access.

  • Compliance: Many compliance standards, such as PCI-DSS and SOC 2, require the use of multi-factor authentication to secure access to sensitive systems.

  • Access Control: MFA ensures that only authorized users with both the password and the second form of authentication can access resources, reducing the risk of compromise through stolen credentials.

Impact:

Pros:

  • Improved Security: MFA protects against unauthorized access due to stolen or compromised credentials, making it more difficult for attackers to gain access.

  • Regulatory Compliance: Meets requirements for multi-factor authentication outlined by industry standards and regulatory bodies.

  • Reduced Risk of Breaches: Adds an extra layer of security that helps prevent unauthorized access and data breaches.

Cons:

  • Complexity: Configuring and maintaining MFA with a RADIUS server may add complexity to the authentication infrastructure.

  • User Experience: Users may face some inconvenience during login, requiring them to provide a second form of authentication.
    Costs: Implementing and maintaining a RADIUS server may incur additional infrastructure costs, depending on the solution chosen.

Default Value:

By default, Amazon Directory Service does not enable MFA with a RADIUS server. MFA must be explicitly configured and linked to a RADIUS server for authentication.

Pre-requisite:

  • AWS IAM Permissions:

    • ds:DescribeDirectories

    • ds:UpdateDirectory

    • ds:EnableLDAPS

  • AWS CLI installed and configured.

  • RADIUS server available and configured to work with Amazon Directory Service.

  • Directory Service configured and active in the AWS account.

Remediation:

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Directory Service under Services.

  3. Select the Directory Service you want to configure.

  4. Under MFA Settings, check if RADIUS-based MFA is enabled.

    • If enabled, the RADIUS server details will be listed, and MFA will be active.

    • If disabled, the RADIUS server is not configured for MFA, and further configuration is needed.

Using AWS CLI:

To check if RADIUS MFA is enabled, run:

aws ds describe-directory-service --directory-id <directory-id> --query "DirectoryService[0].RadiusAuthentication"

The result should show "Enabled" if MFA with RADIUS is configured. If it is "Disabled", MFA is not yet enabled with the RADIUS server.


Implementation Steps:

Using AWS Console:

  1. Sign in to the AWS Management Console and navigate to Directory Service.

  2. Select the Directory Service you want to configure (e.g., Microsoft AD or Simple AD).

  3. In the MFA Settings section, choose Enable RADIUS-based MFA.

  4. Provide the RADIUS server configuration (such as IP address, secret key, etc.) to link it with Directory Service.

  5. Save the settings to enable RADIUS MFA.

Using AWS CLI:

To enable RADIUS-based MFA on an existing Directory Service instance, use the following command:

aws ds enable-ldaps --directory-id <directory-id> --radius-server-ip <radius-server-ip> --radius-secret <radius-secret>

To verify the MFA settings, run:

aws ds describe-directory-service --directory-id <directory-id> --query "DirectoryService[0].RadiusAuthentication"

Backout Plan:

If enabling RADIUS-based MFA causes issues (e.g., login failures or access problems):

Identify the affected Directory Service and review the RADIUS server configuration.

Revert the changes by disabling RADIUS MFA:

aws ds disable-ldaps --directory-id <directory-id>

Monitor the directory service to ensure that users can access the resources without MFA.

Note:

  • RADIUS Configuration: Ensure that your RADIUS server is correctly configured to communicate with Directory Service. This may involve setting up the server’s IP address and secret key in the Directory Service configuration.

  • User Communication: Inform users about the MFA requirement and provide guidance on using their second factor for authentication (e.g., an OTP from a mobile app).

  • Monitoring: Regularly monitor access logs to ensure that the RADIUS-based MFA solution is functioning correctly and that no issues arise with user authentication.

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.