Ensure that MFA using Remote Authentication Dial In User Service (RADIUS) server is enabled for your AD Connector directories created with Amazon WorkDocs, in order to secure the access to your resources and adhere to AWS security best practices. AD Connector is a directory gateway to your on-premises Microsoft Active Directory that enables the users within your on-premise Active Directory (AD) to access Amazon WorkDocs. Multi-Factor Authentication (MFA) is a simple and efﬁcient method of verifying a user identity by requiring an authentication code generated by a virtual device (in this case a RADIUS server), used in addition to your usual access credentials (i.e. user name and password).
Having RADIUS-based MFA protection for your AD Connector directories is the best way to protect your services and resources against attackers. The RADIUS server signature adds an extra layer of protection on top of your existing user credentials making your AD Connector directories virtually impossible to penetrate without the MFA generated passcode.
To determine if your AD Connector directories are using Multi-Factor Authentication (MFA) with RADIUS, perform the following actions:Note: Verifying MFA status and configuration for AD Connector directories using AWS Management Console is not currently supported, the feature can be enabled and configured only through AWS Command Line Interface (CLI).
Remediation / Resolution
To enable RADIUS-based MFA protection for your Active Directory (AD) Connector directories, perform the following actions:Note: Enabling Multi-Factor authentication for AD Connector directories using the AWS Management Console is not currently supported.
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
Get started for FREE
You are auditing:
Enable MFA for AD Connector Directories
Risk level: High