nOps can auto-discover violations for some of the more technical Well-Architected Framework Review (WAFR) evidence points such as “SEC-2 – Use strong sign-in mechanisms”. Using nOps’ rules engine, we analyze your AWS accounts, auto-discover violations and report recommendations on your dashboard to explain what you need to do. This means you can replace manual verification steps to focus on other things.
During a WAFR assessment, when analyzing SEC-2, the nOps partner can add a prepared recommendation to the question. It will be automatically added to the WAFR report at the end.
This makes it easier for the AWS partner to:
- Communicate how competent they are during the assessment.
- Speed up creation of a high-quality remediation proposal.
This article helps nOps end-users and partners to build their own custom, prepared recommendations based on industry best practices to codify remediations and grow their AWS competency.
- What is SEC-2 and what are strong sign-in mechanisms?
- How to remediate SEC-2 Use strong sign-in mechanisms
- How to create an nOps Recommendation Template
- Links to more resources
What is SEC-2 and what are strong sign-in mechanisms?
The first verification for SEC-2 is “Are you using strong sign-in mechanisms?”
The guidance is
“Enforce minimum password length, and educate users to avoid common or re-used passwords. Enforce multi-factor authentication (MFA) with software or hardware mechanisms to provide an additional layer.”
nOps will auto-discover all violations of this guidance as soon as you link an AWS account in your client dashboard. It uses a rules engine to analyse your AWS account configurations and in this case it’s looking for Multi-Factor Authentication being used on the root and IAM accounts.
For all auto-discovered violations, nOps will offer a recommendation on how to remediate and stop the violation from happening again.
How to remediate SEC-2 Use strong sign-in mechanisms
AWS recommends the following actions to remediate SEC-2 Use strong sign-in mechanisms:
- Create an IAM policy to enforce MFA sign-in
Create a customer-managed IAM policy that prohibits all IAM actions except for the ones that allow a user to assume roles, change their own credentials, and manage their MFA devices on the My Security Credentials page.
AWS Guide to IAM for MFA - Enable MFA in your identity provider
Enable MFA in the identity provider or single sign-on service, such as AWS Single Sign-On (SSO), that you use.
AWS Guide to MFA and SSO - Configure strong password policy
Configure a strong password policy in IAM and federated identity systems to help protect against brute-force attacks.
AWS Guide to strong password policy - Rotate credentials regularly
Ensure administrators of your workload change their passwords and access keys (if used) regularly.
Rotate credentials regularly
How to create an nOps Recommendation Template
AWS partners use nOps to improve their WAFR capabilities and build their AWS practice.
Key to this is templatizing WAFR recommendations so that they can be reused. Each question such as SEC-2 can have one recommendation attached to it.
This template version should have the correct information in it to make the remediation proposal process much easier and higher quality.
To do this, AWS partners mix both recommendations on remediation actions and link to their professional services packages that will implement the remediations for their customer.
An example nOps Recommendation Template just for SEC-2 Use strong sign-in mechanisms is: