Two Factor Authentication on EC2

security authentication amazon-ec2 two-factor

Solution 1:

With duo_unix, you can add two-factor authentication for any SSH login method, and with the Duo OpenVPN integration, you can add two-factor authentication to OpenVPN.

Disclaimer, I work for Duo.

Solution 2:

Update

AWS has recently announced Resource-Level Permissions for Amazon EC2 and Amazon RDS to address this long standing shortcoming of IAM support within EC2 and RDS mentioned in my original answer below:

Today we are making IAM even more powerful with the introduction of resource-level permissions for Amazon EC2 and Amazon RDS. [...]

On the EC2 side, you can now construct and use IAM policies to control access to EC2 instances, EBS volumes, images, and Elastic IP addresses. [...]

Here are just a few of things that you can do:

  • Allow users to act on a limited set of resources within a larger, multi-user EC2 environment.
  • Set different permissions for "development" and "test" resources.
  • Control which users can terminate which instances.
  • Require additional security measures, such as MFA authentication, when acting on certain resources. [emphasis mine]

As emphasized, using MFA when acting on certain resources is now possible for EC2 instances too, so you could e.g. limit stopping and termination of an EC2 instance to a user who is authenticated by username/password and an authentication code from an MFA device.

Initial Answer

Two-factor authentication similar to SecurID is readily available via AWS Identity and Access Management (IAM) by means of the AWS Multi-Factor Authentication. Whether this actually applies to your question depends on your particular use case though, i.e. what scenarios you need to protect with two-factor authentication (e.g. the mentioned SSH access vs. AWS Management Console access vs. access to websites you host on EC2 in return etc.).

Specifically, IAM covers access to the AWS Management Console but obviously not SSH, in addition EC2 is one of the AWS products, where IAM does not apply at the resource level, rather only at the service level, see Integrating with Other AWS Products and Using AWS Identity and Access Management with EC2, especially the following disclaimer:

Important

Amazon EC2 uses SSH keys, Windows passwords, and security groups to control who has access to specific Amazon EC2 instances. You can't use the IAM system to allow or deny access to a specific instance.

Please note that IAM usage is highly recommended for anything AWS regardless of multifactor-authentication.

Finally I'd like to highlight two more recent additions to IAM potentially helpful regarding your use case as well:

  • AWS Identity and Access Management - Now With Identity Federation - This new capability allows existing identities (e.g. users) in your enterprise to access AWS APIs and resources using IAM's fine-grained access controls, without the need to create an IAM user for each identity.
  • AWS Virtual (Software) Multi-Factor Authentication - RFC 6238 Support - We support hardware MFA devices, which you can purchase to generate your MFA authentication codes. [...] Today we are pleased to announce that we are introducing an additional option, the Virtual MFA device. You can now generate MFA authentication codes on your smartphone or tablet.

Solution 3:

You will need to secure access to the EC2 console with two-factor. There you are at the mercy of Amazon. For SSH access, you can do lots of options. You can do SSH keys and require that the keys have a password. However, note that there is nothing to keep someone from writing an SSH client that lies about the cert having a password. SSH is great from a security PoV, but it doesn't always pass muster for regulatory requirements. For example, the keys might need to be re-generated periodically. SSH doesn't support that.

PAM radius is your friend if you decide to use a two-factor auth system: http://www.wikidsystems.com/support/wikid-support-center/how-to/pam-radius-how-to

hth,

Solution 4:

EC2 now has 2 factor authentication to it's services which is an important first step.

However, anything hosted on a cloud service that you don't own should be considered insecure at best.

The reason being is you have a virtual machine, with shared memory and shared resources. With EC2, you don't know where the data resides or how it's effectively stored. You may find that your VPS is shared with other VPS's from other organisations.

So if you're going to store financial data on EC2 in an EBS drive you should encrypt it.

But while you might think this is therefore secure, you are only as secure as your weakest link.

To quote another source because he says it well.

... but VM instances often share physical hardware with other instances, and since EC2 is a public service, those co-resident VMs may not be entirely friendly. The major threat here is, of course, software vulnerabilities -- things that can let an attacker break out of one VM and into another. But even if you perfect the software, there's another more insidious threat: namely, that the attacker VM instance could be able to run a side-channel attack on the co-resident VM.

Which would make 2 factor authentication useless against this type of attack.

Now if you can live with that, how do you do it? This stackoverflow question/answer provides you with some answers on using google authenticator which is one of the better ones.

But there are many 2 factor authentication options out there, some require hardware keyfobs and others like google authenticator use your mobile phone. The bank or financial institution may actually mandate which 2 factor authentication method they will allow.

OpenID is a great idea in that it allows you to use your openid to log into many services. But it's also flawed because it allows a single login to gain access to many things. A quick Google and I found http://wikid.com/ which uses OpenID and 2 factor authentication. I'd be hesitant to use it in your particular case.

By the way, are you going to be accepting payments from credit cards? You may find you need to be PCI compliant and I'm not entirely sure if you will be able to be compliant on an EC2 instance. They are quite strict, but for good reason. There are ways to reduce your risks though by not directly accepting card payments and not storing credit card data but by going through a 3rd party payment provider service that your website can interact with.

If you are a merchant that accepts payment cards, you are required to be compliant with the PCI Data Security Standard. You can find out your exact compliance requirements only from your payment brand or acquirer. However, before you take action, you may want to obtain background information and a general understanding of what you will need to do from the information and links here.

Related

Apache Tomcat Windows service ignoring JAVA_HOME environment variable
How to install all the perl modules in Ubuntu at once
Does anybody know how to disable connman?
Wired network extremely slow
how to manually install Firefox plugins, ubuntu 20
Desktop environment isn't working after trying to install GNOME 40
Trying to understand errors from tpm2-tools
how to mount a writable loopback image as easily as we can create it?
Wifi stops working after reboot unless I boot Windows first
Error running AppImage "fusermount: mount failed: Operation not permitted" on Ubuntu 20.04
How to remove KDE icons from Ubuntu 20.04 after uninstalling Latte Dock
I just installed Quixel and Nuke, how can I create an alias for them in Ubuntu? [duplicate]