AWS Partner Network (APN) Blog
Managing AWS Account Root MFA Using CyberArk Privileged Access Manager
By Yonatan Klein, Director of Product Management, Cloud Security – CyberArk
By Bohan Li, Sr. Security Consultant – AWS
By Fritz Kunstler, Principal Security Consultant – AWS
CyberArk |
Security is the top priority at Amazon Web Services (AWS), and protecting AWS account root users with multi-factor authentication (MFA) is a crucial security control.
Now, you can use CyberArk’s Privileged Access Manager (PAM) to securely manage the AWS account root and authenticate its use with MFA. This integration strengthens security posture and reduces risk by increasing control, visibility, and availability of AWS root account access. It also helps collaboration, where few team members need access to a shared root account while you still wish to enforce personal-level access control and audit.
In this post, we will review the current MFA features for AWS account root user, provide a step-by-step walkthrough of how to install and configure CyberArk PAM to manage root accounts with MFA, and show you how to sign into the AWS root account with CyberArk PAM.
CyberArk is an AWS Security Competency Partner and AWS Marketplace Seller that’s a leader in identity security. Centered on privileged access management, CyberArk provides a comprehensive security offering for any identity across business applications, distributed workforces, hybrid cloud workloads, and throughout the DevOps lifecycle.
Overview of MFA for the AWS Account Root
First, let’s recap some of the benefits and available MFA configurations for AWS Identity and Access Management (IAM).
The use of MFA is an important security best practice for AWS, as you have an additional layer of protection to help prevent unauthorized individuals from gaining access to systems and data. MFA helps protect your AWS environments if a password associated with your root user or IAM user becomes compromised.
As a security best practice, AWS recommends avoiding using root users or IAM users to manage routine access to your accounts. Instead, use AWS IAM Identity Center to manage access to your accounts. You should only use root users for tasks they are required for.
To help meet different customer needs, AWS supports three types of MFA devices for IAM, including FIDO security keys, virtual authenticator applications, and time-based one-time password (TOTP) hardware tokens. You should select the device type that aligns with your security and operational requirements for each use case.
Continuous Availability of Root Access
For customers who already use CyberArk PAM to secure privileged access, this post describes how to use CyberArk PAM to manage AWS root with MFA.
AWS security best practices recommend safeguarding root user credentials and preventing their use for everyday tasks, in accordance with the principle of least privilege access.
Yet, some usage of the root account is inevitable as there are tasks only the root user can perform. In these scenarios, CyberArk allows you to share access securely. CyberArk enables you to leverage enterprise-grade features such as enforcing fine-grained personal access control, integrating with enterprise identity management and IT workflow systems, and personal access control and audit trails to meet compliance requirements.
In 2022, AWS released the ability to assign multiple MFA devices feature in IAM. You can also associate different types of MFA devices with a root and IAM user.
Configuring CyberArk PAM
In this section, we’ll provide a step-by-step walkthrough for configuring CyberArk PAM to manage AWS root MFA. It’s assumed you have basic knowledge of CyberArk PAM.
Step 1: Download and Import Plugins to CyberArk PAM
Please note the version numbers in the following process may change, and the file names will change accordingly.
- Download the following plugins from CyberArk Marketplace:
- AWS Root Management with MFA: Contains MFADeviceKeys-v12.5.zip and AWSRootAccountsWithMFA-v12.5.zip
- AWS Console for Root
- TOTP MFA Code Generator
- Configure connector and associate with platform. Log on to the CyberArk PAM web portal and perform the following steps:
- Go to Administration > Platform Management
- Select Import Platform and upload MFADeviceKeys-v12.5.zip
- Select Import Platform and upload AWSRootAccountsWithMFA-v12.5.zip
- Go to Administration > Platform Management to verify two platforms are imported under the Website section
Figure 1 – Imported Platforms under Website.
- Configure connector:
- Go to Administration > Platform Management
- Under PSM Secure Connect, click on the three dots drop-down button and select Manage PSM connectors
Figure 2 – Manage PSM connectors.
-
- Browse and import files PSM-TOTPToken.zip and AWS-Root-v12.0.zip, and then associate TOTP Token and AWS Console with Root
Figure 3 – Associate connectors.
-
- Under Websites, click on the three dots drop-down button next to AWS Root Accounts with MFA, select Manage PSM connectors and associate TOTP Token and AWS Console with Root
- Under Websites, click on the three dots drop-down button next to MFA Device Keys, select Manage PSM connectors and associate TOTP Token
Step 2: Configure Security Policy in CyberArk PAM
This step allows users to connect to target systems.
- Go to Policies > Master Policy > Session Management
- If the setting for “Require privileged session monitoring and isolation” is set to Inactive, then add AWS Root Account with MFA, MFA Devices, and PSM Secure Connect as exceptions with the value Active. If the value is set to Active by default, then no action is required for this step.
- If the setting for “Record and save session activity” is set to Inactive, add AWS Root Account with MFA, MFA Devices, and PSM Secure Connect as exceptions with the value as Active. If the value is set to Active by default, then no action is required for this step.
Figure 4 – Add exceptions.
Step 3: Configure CyberArk Privileged Session Manager (PSM)
- On each PSM server, validate the TOTPToken.exe file exists in the {PSMInstallDir}\Components path. If the file does not exist, extract it from the PSM-TOTPToken.zip file and copy it to the {PSMInstallDir}\Components path.
- Add the following line in the {PSMInstallDir}\Program Files (x86)\CyberArk\PSM\Hardening\PSMConfigureApplocker.xml file in the <!– PSM Components –> section:
<Application Name="TOTPToken" Type="Exe" SessionType="*"
Path="C:\Program Files (x86)\CyberArk\PSM\Components\TOTPToken.exe"
Method="Hash" />
Note: Update path according to the {PSMInstallDir}\Components folder location.
- Execute the PSMConfigureApplocker.ps1 script to add new rules to the Application 3. Locker settings.
Step 4: Configure CyberArk Safe
Within each CyberArk credential safe, there are three types of Safe Members Access permissions (Use, Retrieve and List accounts) to control level of access to MFA secrets vaulted in the safe, where “use” refer specifically to PSM connections.
The “Use accounts” permission allows a user to request an MFA token, and the “Retrieve accounts” permission allows a user to retrieve a secret.
Customers should define a RACI model for managing MFA secrets vs. tokens and grant permissions accordingly. Furthermore, you can store MFA secrets in different safes and control access at the safe level to meet your organizational requirements.
The scope of the safes should align with the scope of the administration of AWS accounts. For example, if the administration unit for AWS accounts is defined per AWS Organization Unit (OU), then you should store AWS root MFA secrets in a separate safe for each OU.
All activities pertaining to accessing the safe that stores root MFA secrets should be logged and monitored. CyberArk provides an out-of-box logging and monitoring capability.
Inspecting safe activity and additional governance can be introduced by adding an approval workflow and require ITSM ticket for any root access. Monitoring and alerting should also be configured in AWS for root activities.
Registration
- Follow steps 1- 4 in Enable a virtual MFA device for your AWS account root user (console) and save the secret configuration key for later steps.
- In the CyberArk PAM portal, go to Account > Add account. Use the following configurations:
- System type: Website
- Platform: AWS Root Accounts with MFA
- Safe: Selected safe by customer
- Username: Email address of root user
- Address: https://console.aws.amazon.com/console/home
- Go to Account > Add account. Use the following configurations:
- System type: Website
- Platform: MFA Device Keys
- Safe: Selected safe by customer
- Username: Email address of root user
- Password: Secret configuration key collected in step 1
- Go to Account and click on the AWSRootAccountswithMFA account > Additional details and actions in classic interface. Next, click on Associate next to Logon Account and select the MFADeviceKeys account to associate.
Figure 5 – Associate logon accounts.
Sign-In Experience
- Get one-time password:
- Click on the Connect button of the AWSRootAccountswithMFA account and provide reason.
- An RDP session is initiated and you should see generated MFA tokens.
- Go back to the AWS console and complete the rest of steps in Enable a virtual MFA device for your AWS account root user (console) to enable CyberArk PAM as virtual MFA device for AWS root MFA.
Summary
In this post, you learned about the new features of CyberArk Privileged Access Manager (PAM) that enable secure management of multi-factor authentication (MFA) for the AWS account root user to allow personal-level access control and audit for this highly-sensitive account.
This feature allows CyberArk customers to apply existing company workflows and security policies for privileged access to the AWS root account. There is no extra cost for installing the packages for this feature.
CyberArk customers can start using this integration by downloading the packages from CyberArk Marketplace. You can also learn more about CyberArk in AWS Marketplace.
For more information about AWS recommended best practices related to the root user of an AWS account, see the documentation on best practices to protect your account’s root user.
CyberArk – AWS Partner Spotlight
CyberArk is an AWS Partner and global leader in identity security with a rich portfolio of SaaS products for which customers can buy and use a subscription-based license.