Profile Applicability:

  • Level 1

Description:

Amazon Directory Service (DS) provides managed directory services, such as AWS Managed Microsoft AD and Simple AD, which can integrate with RADIUS (Remote Authentication Dial-In User Service) servers for Multi-Factor Authentication (MFA) and authentication purposes. It is essential that the RADIUS server used with Directory Service employs a secure communication protocol to safeguard sensitive data and prevent unauthorized access.

This SOP ensures that the RADIUS server in use with Amazon Directory Service adheres to recommended security protocols, such as RADIUS over TLS (RadSec) or RADIUS with a strong shared secret, to protect communication between the Directory Service and the authentication server.

Rationale:

  • Enhanced Security: Using secure protocols such as RADIUS over TLS (RadSec) ensures that all authentication traffic between Directory Service and the RADIUS server is encrypted, protecting it from interception and tampering.

  • Preventing Data Breaches: A secure RADIUS protocol prevents attackers from exploiting weak protocols and gaining unauthorized access to the directory.

  • Compliance: Compliance frameworks (such as PCI-DSS, SOC 2, HIPAA) require the use of secure authentication mechanisms. Adhering to recommended protocols ensures compliance with these regulations.

Impact:

Pros:

  • Increased Security: Securing the RADIUS server with the recommended protocol protects authentication traffic from eavesdropping, ensuring the confidentiality of sensitive data.

  • Regulatory Compliance: Adheres to industry standards and compliance frameworks that require secure communication methods for authentication services.

  • Protection Against Attacks: Prevents attacks, such as man-in-the-middle (MITM) attacks, by securing the data exchanged between Directory Service and the RADIUS server.

Cons:

  • Configuration Complexity: Implementing a secure RADIUS protocol may require additional configuration steps and understanding of security protocols.

  • Resource Consumption: Some secure RADIUS protocols, such as RadSec, may require additional resources (e.g., certificates, configuration adjustments) that could increase management overhead.

Default Value:

By default, Amazon Directory Service does not enforce the use of secure RADIUS protocols. The RADIUS server must be explicitly configured to use the recommended security protocols, such as RADIUS over TLS (RadSec).

Pre-requisite:

  • AWS IAM Permissions:

    • ds:DescribeDirectories

    • ds:UpdateDirectory

  • AWS CLI installed and configured.

  • RADIUS Server configured and operational.

  • Directory Service instance (e.g., AWS Managed Microsoft AD) must be active.

  • TLS Certificates (if using RadSec) should be obtained and configured.

Remediation:

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Directory Service under Services.

  3. Select the Directory Service you want to verify.

  4. Under Directory details, review the RADIUS server settings.

    • Verify the security protocol being used by the RADIUS server (e.g., RadSec or a secure shared secret).
      If using RadSec, check that RADIUS over TLS is enabled and that the necessary certificates are configured.

Using AWS CLI:

To check the RADIUS configuration, run:

aws ds describe-directory-service --directory-id <directory-id> --query "DirectoryService[0].RadiusAuthentication"

Ensure the protocol is listed as RadSec (if using RADIUS over TLS).

Implementation Steps:

Using AWS Console:

  1. Sign in to the AWS Management Console and navigate to Directory Service.

  2. Select the Directory Service instance you want to configure.

  3. Under MFA Settings, select Enable RADIUS Authentication.

  4. Configure the RADIUS server settings to use the recommended security protocol:

    • For RADIUS over TLS (RadSec):

      • Provide the RADIUS server’s IP address.

      • Ensure that TLS certificates are configured for secure communication.

      • Set the shared secret with a strong password to prevent unauthorized access.

  5. Save the configuration.

Using AWS CLI:

To configure RADIUS over TLS (RadSec), run:

aws ds describe-directory-service --directory-id <directory-id> --query "DirectoryService[0].RadiusAuthentication"

Verify that RADIUS over TLS is correctly configured:

aws ds describe-directory-service --directory-id <directory-id> --query "DirectoryService[0].RadiusAuthentication"

Backout Plan:

If enabling secure RADIUS protocols (e.g., RadSec) causes issues (e.g., connectivity issues with the RADIUS server):

Identify the affected Directory Service and verify if the RADIUS server configuration is correct.

Revert the changes by disabling RADIUS over TLS:

aws ds disable-ldaps --directory-id <directory-id>aws ds disable-ldaps --directory-id <directory-id>

Monitor the service to ensure that users can authenticate successfully without the RADIUS server using the secure protocol.


Note:

  • RadSec Configuration: If using RADIUS over TLS (RadSec), ensure that the RADIUS server is configured to accept connections over TLS and that the appropriate SSL/TLS certificates are provided.

  • Certificate Management: Ensure the TLS certificates used for RadSec are valid and properly managed to avoid disruptions in RADIUS authentication.

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.