Sometime back, I was lamenting
about the lack of security in the authentication layer of Amazon Web
Services. Especially, I found the ease with which one can gain control
of AWS account by cracking just the user’s login credentials for AWS
console very troubling.
Before the release of console, someone who steals the Amazon password
of an user, could log into their AWS account and get the public/private
key and certificates. They can then use this information to cause havoc
in the EC2 deployment. With this console, the hacker cracker has one
less step to manage. He/She can just log into the EC2 web based
management console with the Amazon.com account password they stole and
create havoc. They don’t even have to worry about looking for the
public/private key and certificates.
I suggested that Amazon should spruce up the authentication procedures
by separating the AWS account from the amazon.com account. I also
suggested that they enforce a strong password policy so that, at least,
script kiddies will not crack these accounts. Well, finally, Amazon
woke up to this lack of strong authentication procedures and announced the availability of a multi-factor authentication.
With this new optional layer of additional authentication, Amazon lets
users enter a randomly generated 6 digit key to log into the AWS
account and AWS console. To do this, Amazon Web Services has partnered
with a third party vendor to offer an authentication device for their
customers. The customers can, then, add this device with their AWS
account and use the key generated in sync with the AWS account to
authenticate themselves. This device is available from Gemalto for just $12.99. There is no extra cost involved with Amazon for this additional security.
Let us try to understand the pros and cons of this feature.
- An additional layer of security in authentication is a must and this option fills the long standing security gap
- Since the key can only be used only once, any capture of the key by means of man in the middle attack doesn’t matter much
- Seamless integration and key generation
- If the authentication device and Amazon account are out
of sync, AWS re-syncs automatically without any need to take the phone
and talk to Amazon
- The addition of an extra layer of security doesn’t
affect the API access. So, there is no associated confusion in the AWS
partner ecosystem due to this
- The last point under pro is also a con. Since this
additional layer of security does nothing to the API access, any
compromise on the API access continue to affect the customers
- The login to the AWS account is tied to this
authentication device. The lack of availability of this device at any
time at any place means that there is no access to the AWS account. The
same applies to the loss of the device itself. The customer has to,
then, contact Amazon to get the extra authentication disabled before
they can get access to their AWS account. The same problem is there
with the corruption of these devices too. This is where a technology
like Syferlock can play a big role
- This feature is available for single user accounts only.
This cannot be used with many users using the same Amazon account as
well as with a single user using many Amazon accounts. This implies
that it is not useful for companies with more than one system admin
managing these Amazon instances
In spite of the limited value of this feature, it is a very welcome
option. It protects the Amazon cloud deployments of users. I am really
keen to see if Amazon is going to add some other security features
suitable for enterprise customers in the days (months?) to come.