1 00:00:06,610 --> 00:00:08,220 - [Instructor] Now let's review a demo 2 00:00:08,220 --> 00:00:11,540 of managing an MFA device. Okay, 3 00:00:11,540 --> 00:00:15,670 so once again from the management console dashboard 4 00:00:15,670 --> 00:00:19,930 in order to manage MFA devices, 5 00:00:19,930 --> 00:00:22,260 for particular users, 6 00:00:22,260 --> 00:00:24,720 we would need to be in the IAM service. 7 00:00:24,720 --> 00:00:28,460 So, since we've been there recently, we can find it here 8 00:00:28,460 --> 00:00:33,460 and we're going to first let's take a look at our users. 9 00:00:35,500 --> 00:00:39,850 So, our, my user, the admin user that I'm currently 10 00:00:39,850 --> 00:00:44,100 logged in with, already has an MFA device present. 11 00:00:44,100 --> 00:00:46,490 You can see that I have a virtual MFA device, 12 00:00:46,490 --> 00:00:49,930 but the Amy Fowler user does not. 13 00:00:49,930 --> 00:00:54,930 And so very much like axis keys, I could create one for her. 14 00:00:55,390 --> 00:00:59,220 Now and if, so I could go here to her user, I go to 15 00:00:59,220 --> 00:01:02,357 the security credentials tab, and it says here 16 00:01:02,357 --> 00:01:05,480 an MFA device is not assigned. 17 00:01:05,480 --> 00:01:10,007 Now if we worked in the same office, where I could say, 18 00:01:10,007 --> 00:01:14,510 "Hey Amy, come over here to my desk", then I could say, 19 00:01:14,510 --> 00:01:19,380 go through this process and create a QR code 20 00:01:19,380 --> 00:01:23,270 that she could then scan with her virtual MFA application 21 00:01:23,270 --> 00:01:26,690 be it AUTHY or Google Authenticator, or whatever. 22 00:01:26,690 --> 00:01:30,010 If Amy is remote and I'm remote and we're, you know, 23 00:01:30,010 --> 00:01:33,710 not in the same office, then of course that's not possible. 24 00:01:33,710 --> 00:01:37,330 I would have to, if I, created the device for her, 25 00:01:37,330 --> 00:01:41,280 then I would have to somehow 26 00:01:41,280 --> 00:01:46,190 transfer specific information about that MFA device to her. 27 00:01:46,190 --> 00:01:48,540 And I don't really like doing that. 28 00:01:48,540 --> 00:01:51,620 Now you may have a way, a transfer method 29 00:01:51,620 --> 00:01:54,300 that you trust to be secure and that's fine, 30 00:01:54,300 --> 00:01:57,780 but again, for users managing things like this, 31 00:01:57,780 --> 00:02:01,020 access keys and MFA devices, I prefer to 32 00:02:01,020 --> 00:02:04,310 empower them to do it themselves. 33 00:02:04,310 --> 00:02:07,180 So I want, just like I want users to manage 34 00:02:07,180 --> 00:02:09,810 their own password, I want them to manage 35 00:02:09,810 --> 00:02:12,520 their own access keys. I generally want them to 36 00:02:12,520 --> 00:02:15,130 manage their own MFA device as well. 37 00:02:15,130 --> 00:02:17,310 And so, I'm not going to do it for her, 38 00:02:17,310 --> 00:02:19,410 I'm going to make sure that she has the ability to 39 00:02:19,410 --> 00:02:22,770 do that. So, this is true for every user, right, 40 00:02:22,770 --> 00:02:24,480 not just for developers but everyone. 41 00:02:24,480 --> 00:02:28,120 So I wanna take a look at the everyone group. 42 00:02:28,120 --> 00:02:32,150 So if we were to take a look here at the everyone group, 43 00:02:32,150 --> 00:02:33,750 and then we looked at the permissions, 44 00:02:33,750 --> 00:02:36,730 just like a user needs permission to change their password, 45 00:02:36,730 --> 00:02:39,320 they need permission to manage their access keys, 46 00:02:39,320 --> 00:02:42,833 they also need permissions to manage their MFA device. 47 00:02:43,850 --> 00:02:48,140 So I've taken the liberty to create and attach, 48 00:02:48,140 --> 00:02:53,140 this new policy here, called User Self Managed MFA device. 49 00:02:53,710 --> 00:02:55,440 Right, so let's take a look at that policy 50 00:02:55,440 --> 00:02:59,030 and see what kind of permissions that is granting. 51 00:02:59,030 --> 00:03:01,460 So you can see here that we are allowing 52 00:03:02,430 --> 00:03:06,210 several different actions that all relate to 53 00:03:06,210 --> 00:03:10,823 the management of MFA devices and some of these require 54 00:03:10,823 --> 00:03:15,823 the user type, some of them require the MFA type. 55 00:03:15,920 --> 00:03:19,240 So, within the IAM service, there are different types of 56 00:03:19,240 --> 00:03:21,199 resources, users, groups, roles, 57 00:03:21,199 --> 00:03:24,120 policies, and of course, MFA devices. 58 00:03:24,120 --> 00:03:29,120 And so, if we did not include the MFA type resource, 59 00:03:29,245 --> 00:03:32,250 then several of these actions like, 60 00:03:32,250 --> 00:03:35,580 create virtual MFA device, would give us an error. 61 00:03:35,580 --> 00:03:37,730 It would tell us we don't have that permission 62 00:03:37,730 --> 00:03:40,126 because we, some actions require 63 00:03:40,126 --> 00:03:43,790 specific types of resources to be defined. 64 00:03:43,790 --> 00:03:48,150 So, now that we've given our, 65 00:03:48,150 --> 00:03:50,510 everyone group the ability to 66 00:03:50,510 --> 00:03:55,510 manage their MFA device, we can also, what we want to do is 67 00:03:55,580 --> 00:03:58,230 enforce MFA. Now this is up to you. 68 00:03:58,230 --> 00:04:00,730 You don't have to do this, but it's just something 69 00:04:00,730 --> 00:04:04,570 that you can do to add an extra layer of security. 70 00:04:04,570 --> 00:04:08,563 Okay, so let's take a look at another policy that I created, 71 00:04:09,610 --> 00:04:10,833 called (keyboard clicks) ForceMFA. 72 00:04:12,330 --> 00:04:14,520 So actually if we search for MFA, you'll see 73 00:04:14,520 --> 00:04:17,220 the two different policies here, the self manage 74 00:04:17,220 --> 00:04:19,397 and then another one called ForceMFA. 75 00:04:19,397 --> 00:04:22,710 All right so I'm gonna take a look at ForceMFA 76 00:04:23,850 --> 00:04:26,770 and lets just take a look at this policy down here, 77 00:04:26,770 --> 00:04:31,770 you'll see that we are using a deny, an explicit deny. 78 00:04:32,690 --> 00:04:35,990 And remember that deny rules will take precedence 79 00:04:35,990 --> 00:04:38,275 over allow rules. Right so if you have 80 00:04:38,275 --> 00:04:42,343 two conflicting statements, the deny will win. 81 00:04:43,440 --> 00:04:46,960 Now what I really want to draw your attention to here is 82 00:04:46,960 --> 00:04:50,550 the "not action". Right, so all of the other policies 83 00:04:50,550 --> 00:04:53,440 that we've create and make made use of, 84 00:04:53,440 --> 00:04:56,420 have leveraged the action key, 85 00:04:56,420 --> 00:04:59,823 where we here are using the "not action" key. 86 00:05:00,670 --> 00:05:03,700 So what this essentially means is, 87 00:05:03,700 --> 00:05:06,310 we are denying 88 00:05:06,310 --> 00:05:08,340 all actions, 89 00:05:08,340 --> 00:05:10,075 other than 90 00:05:10,075 --> 00:05:12,350 IAM actions, 91 00:05:12,350 --> 00:05:14,400 under the condition that 92 00:05:17,580 --> 00:05:20,063 the Multi-Factor Auth Age header 93 00:05:21,070 --> 00:05:25,060 in the request, or the parameter and the request, is known. 94 00:05:25,060 --> 00:05:29,420 So essentially what this means is that under the condition 95 00:05:29,420 --> 00:05:32,873 that multi-factor authentication was not used, 96 00:05:33,981 --> 00:05:38,981 deny the request for actions other than IAM actions. 97 00:05:39,570 --> 00:05:44,570 Right so user information and create a MFA device 98 00:05:45,007 --> 00:05:48,460 and enable and activate that device. 99 00:05:48,460 --> 00:05:51,014 And then otherwise if they try to do something with 100 00:05:51,014 --> 00:05:55,950 EC2 or Lambda or S3, they can only do those actions 101 00:05:55,950 --> 00:05:58,510 if their multi-factor authentication 102 00:05:58,510 --> 00:06:01,420 was used during their login. So again, 103 00:06:01,420 --> 00:06:03,450 an extra layer of security. Right, 104 00:06:03,450 --> 00:06:07,670 and we have, so we are going to apply this, 105 00:06:07,670 --> 00:06:09,240 let's go back to groups and take a look at 106 00:06:09,240 --> 00:06:12,920 the developer's group and you can see I've already applied 107 00:06:12,920 --> 00:06:17,710 the ForceMFA to the developer's group. 108 00:06:17,710 --> 00:06:20,870 We don't want to, we don't want to force MFA 109 00:06:20,870 --> 00:06:25,230 necessarily for everyone, but maybe only certain users. 110 00:06:25,230 --> 00:06:29,560 Okay so I've done all of that under my admin user, 111 00:06:29,560 --> 00:06:32,930 I'm going to go ahead and sign out and I'm going to 112 00:06:32,930 --> 00:06:36,853 log back in as the A.Fowler user. 113 00:06:40,520 --> 00:06:45,250 Okay, so now that we're logged in as A.Fowler, let's go, 114 00:06:45,250 --> 00:06:50,060 we again, we could find the MFA management under IAM, 115 00:06:50,060 --> 00:06:51,898 we could go there and then find the user, 116 00:06:51,898 --> 00:06:55,653 or we would just go here to my security credentials. 117 00:06:56,620 --> 00:07:01,620 And of course, for A.Fowler, we've already done a password, 118 00:07:01,730 --> 00:07:03,420 we've created access keys, 119 00:07:03,420 --> 00:07:06,670 so here we can say assign MFA device. 120 00:07:06,670 --> 00:07:08,920 And according to those permissions, 121 00:07:08,920 --> 00:07:12,760 we we can only manage one for our current user. 122 00:07:12,760 --> 00:07:16,220 Before we do that though, I want to point out 123 00:07:16,220 --> 00:07:20,290 that because because we logged in without MFA, 124 00:07:20,290 --> 00:07:23,810 we should not be able to do anything in an EC2 125 00:07:23,810 --> 00:07:26,820 or Lambda for example. Let's just experiment here 126 00:07:26,820 --> 00:07:30,030 and lets go to Lambda and it should give us an error. 127 00:07:30,030 --> 00:07:32,350 Yep, you are not authorized to perform, 128 00:07:32,350 --> 00:07:35,050 lamba get account settings, right. 129 00:07:35,050 --> 00:07:38,693 And if we were to try to DynamoDB, 130 00:07:39,858 --> 00:07:41,810 (keyboard clicks) 131 00:07:41,810 --> 00:07:44,470 it should also give us an error, right. 132 00:07:44,470 --> 00:07:48,803 Let's say create table, if we just say test, 133 00:07:49,820 --> 00:07:52,690 test, and create, it should give us an error. 134 00:07:52,690 --> 00:07:55,450 There we go, not authorized, right. 135 00:07:55,450 --> 00:07:58,770 And that's because we did not log in with MFA. 136 00:07:58,770 --> 00:08:00,120 All right, so let's go back 137 00:08:01,840 --> 00:08:06,530 to IAM, or again we could go back to security credentials 138 00:08:07,470 --> 00:08:10,690 We're going to say assign MFA device, 139 00:08:10,690 --> 00:08:13,210 and here you can see that we have our choice of 140 00:08:13,210 --> 00:08:16,790 virtual MFA device, which is some type of application, 141 00:08:16,790 --> 00:08:20,000 on your mobile device or your computer. 142 00:08:20,000 --> 00:08:24,480 My favorite two are AUTHY(A-U-T-H-Y) 143 00:08:24,480 --> 00:08:26,120 and Google Authenticator. 144 00:08:26,120 --> 00:08:29,580 There are others, but those two I've used over the years 145 00:08:29,580 --> 00:08:32,760 and they've never failed me. We could also use a 146 00:08:33,730 --> 00:08:36,510 U2F security key, 147 00:08:36,510 --> 00:08:39,100 or a Gemalto hardware. 148 00:08:39,100 --> 00:08:44,100 So you can order Gemalto hardware key fobs 149 00:08:44,570 --> 00:08:46,430 from Amazon. 150 00:08:46,430 --> 00:08:49,860 So in this case we're going to use a virtual MFA device. 151 00:08:49,860 --> 00:08:54,860 We'll say continue and now we have a couple of options. 152 00:08:55,980 --> 00:08:59,940 We could either get a QR code and we could scan it 153 00:08:59,940 --> 00:09:02,480 into our phone, or we could show the secret key 154 00:09:02,480 --> 00:09:05,213 and then copy and paste that. So, if you're using 155 00:09:05,213 --> 00:09:09,320 an MFA application on your local machine, 156 00:09:09,320 --> 00:09:11,300 you could just show the secret key 157 00:09:11,300 --> 00:09:16,030 and then we could copy and paste that into the application. 158 00:09:16,030 --> 00:09:21,030 For our mobile device, we could go show QR code, 159 00:09:21,270 --> 00:09:26,150 and then what I would want to do is open the device 160 00:09:26,150 --> 00:09:29,380 on my, or open the application on my phone 161 00:09:29,380 --> 00:09:33,850 and we would add a new account and say scan QR code 162 00:09:33,850 --> 00:09:36,430 and we would hold our phone up to the screen 163 00:09:36,430 --> 00:09:39,660 and very quickly, it would grab that QR code 164 00:09:39,660 --> 00:09:41,780 and all of the information that it needs. 165 00:09:41,780 --> 00:09:45,550 The account name, the secret key, 166 00:09:45,550 --> 00:09:48,820 all of that would be included in the QR code, right. 167 00:09:48,820 --> 00:09:53,130 And so once we have that in our virtual device, 168 00:09:53,130 --> 00:09:56,640 then we need to add two different codes, right. 169 00:09:56,640 --> 00:09:59,580 So, and of course, these are generated 170 00:09:59,580 --> 00:10:04,500 about every thirty seconds. So the first one here, 849983, 171 00:10:06,830 --> 00:10:10,010 931, all right and so now that we've gotten 172 00:10:10,010 --> 00:10:13,600 those two MFA codes, two consecutive MFA codes, 173 00:10:13,600 --> 00:10:16,100 now we can say assign MFA device. 174 00:10:16,100 --> 00:10:20,760 Amazon will verify those codes and then we can say close. 175 00:10:20,760 --> 00:10:23,550 Right, so now that we have that, you can see 176 00:10:23,550 --> 00:10:28,550 that the A.Fowler user has the assigned MFA device enabled, 177 00:10:28,730 --> 00:10:31,500 but she still hasn't logged in with it. 178 00:10:31,500 --> 00:10:34,070 We have to actually log in with it for it to 179 00:10:34,070 --> 00:10:38,880 enable us to do things with Lambda or DynamoDB, right. 180 00:10:38,880 --> 00:10:43,410 So let's log out and log back in and see the difference. 181 00:10:43,410 --> 00:10:47,440 So we'll go log right back in as A.Fowler 182 00:10:50,330 --> 00:10:51,740 and there you go. 183 00:10:51,740 --> 00:10:56,098 It's asking for an MFA code and I will just enter one. 184 00:10:56,098 --> 00:10:59,070 (keyboard clicks) 185 00:10:59,070 --> 00:11:02,100 And now we are authenticated. 186 00:11:02,100 --> 00:11:05,170 And so now that MFA is present, 187 00:11:05,170 --> 00:11:07,250 we should be able to go to Lambda 188 00:11:07,250 --> 00:11:11,440 and see everything we need to see without, there you go. 189 00:11:11,440 --> 00:11:14,520 You can see we have a couple of functions in here 190 00:11:14,520 --> 00:11:17,160 and we did not get that same error 191 00:11:17,160 --> 00:11:21,630 and that's because of the ForceMFA policy that we applied. 192 00:11:21,630 --> 00:11:26,630 Right, so again, you can find those MFA information 193 00:11:26,880 --> 00:11:30,510 in manage MFA devices from the security credentials 194 00:11:30,510 --> 00:11:34,340 tab underneath the user. And so now this user is 195 00:11:34,340 --> 00:11:37,345 fairly secure, right, they have a strong password, 196 00:11:37,345 --> 00:11:39,450 they have access keys that they've 197 00:11:39,450 --> 00:11:41,193 downloaded directly themselves, 198 00:11:42,169 --> 00:11:46,130 and they've enabled their own MFA device 199 00:11:46,130 --> 00:11:50,430 and MFA is enforced on a number of things 200 00:11:50,430 --> 00:11:54,083 that they are doing in their day to day operations.