Open menu

Enable MFA for AD Connector Directories

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Security

Risk level: High (not acceptable risk)

Ensure that MFA using Remote Authentication Dial In User Service (RADIUS) server is enabled for your AD Connector directories created with Amazon WorkDocs, in order to secure the access to your resources and adhere to AWS security best practices. AD Connector is a directory gateway to your on-premises Microsoft Active Directory that enables the users within your on-premise Active Directory (AD) to access Amazon WorkDocs. Multi-Factor Authentication (MFA) is a simple and efficient method of verifying a user identity by requiring an authentication code generated by a virtual device (in this case a RADIUS server), used in addition to your usual access credentials (i.e. user name and password).

Having RADIUS-based MFA protection for your AD Connector directories is the best way to protect your services and resources against attackers. The RADIUS server signature adds an extra layer of protection on top of your existing user credentials making your AD Connector directories virtually impossible to penetrate without the MFA generated passcode.

Audit

To determine if your AD Connector directories are using Multi-Factor Authentication (MFA) with RADIUS, perform the following actions:

Note: Verifying MFA status and configuration for AD Connector directories using AWS Management Console is not currently supported, the feature can be enabled and configured only through AWS Command Line Interface (CLI).

Using AWS CLI

01 Run describe-directories command (OSX/Linux/UNIX) to list the identifiers of all the Active Directory (AD) Connector directories, available in the selected AWS region:

aws ds describe-directories
	--region us-east-1
	--output table
	--query 'DirectoryDescriptions[*].DirectoryId'

02 The command output should return a table with the requested resource IDs:

---------------------
|DescribeDirectories|
+-------------------+
|   d-12345abcde    |
|   d-abcd012345    |
|   d-aabbcc1234    |
+-------------------+

03 Execute again describe-directories command (OSX/Linux/UNIX) using the ID of the AD Connector directory that you want to examine as identifier and custom query filters to get the status of the Remote Authentication Dial In User Service (RADIUS) MFA server connection:

aws ds describe-directories
	--region us-east-1
	--directory-ids d-12345abcde
	--query 'DirectoryDescriptions[*].RadiusStatus'

04 The command output should return the requested status information:

[]

If describe-directories command output returns an empty array, as shown in the example above, there is no RADIUS MFA server configured for the selected AD Connector directory, therefore the resource does not have Multi-Factor Authentication (MFA) protection enabled.

05 Repeat step no. 3 and 4 to determine the MFA status for other AD Connector directories available in the current region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the audit process for other regions.

Remediation / Resolution

To enable RADIUS-based MFA protection for your Active Directory (AD) Connector directories, perform the following actions:

Note: Enabling Multi-Factor authentication for AD Connector directories using the AWS Management Console is not currently supported.

Using AWS CLI

01 Define the RADIUS MFA server settings required for the enable-radius command request. Create a new JSON document, name it radius-mfa-config.json, and paste the following information (replace the RADIUS configuration details specified below with your own RADIUS server details):

{
  "RadiusServers": ["radius.cloudconformity.com"],
  "RadiusPort": 1812,
  "RadiusTimeout": 30,
  "RadiusRetries": 3,
  "SharedSecret": "radiusmfa",
  "AuthenticationProtocol": "PAP",
  "DisplayLabel": "RADIUS Multi-Factor Authentication",
  "UseSameUsername": true
}

02 Run enable-radius command (OSX/Linux/UNIX) using the name of the JSON configuration file created at the previous step (i.e. radius-mfa-config.json) as command parameter to enable Multi-Factor Authentication (MFA) for the specified AD Connector directory using a Remote Authentication Dial In User Service (RADIUS) server (the command does not produce an output):

aws ds enable-radius
	--region us-east-1
	--directory-id d-12345abcde
	--radius-settings file://radius-mfa-config.json

03 Repeat step no. 1 and 2 to enable RADIUS-based Multi-Factor Authentication for other AD Connector directories available within the selected region.

04 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 3 to perform the remediation process for other regions.

References

Publication date Mar 1, 2019