1
00:00:00,330 --> 00:00:02,330
Now that we have created users and groups,

2
00:00:02,330 --> 00:00:04,970
it is time for us to protect these users and groups

3
00:00:04,970 --> 00:00:06,490
from being compromised.

4
00:00:06,490 --> 00:00:09,650
So for this we can have two defense mechanisms.

5
00:00:09,650 --> 00:00:12,860
The first one is to define what's called a Password Policy.

6
00:00:12,860 --> 00:00:13,693
Why?

7
00:00:13,693 --> 00:00:15,470
Well, because the stronger the password you use

8
00:00:15,470 --> 00:00:17,640
the more security for your accounts.

9
00:00:17,640 --> 00:00:20,450
So in AWS, you can set up a password policy

10
00:00:20,450 --> 00:00:22,260
with different options.

11
00:00:22,260 --> 00:00:25,540
The first one is you can set a minimum password length,

12
00:00:25,540 --> 00:00:28,240
and you can require specific character types,

13
00:00:28,240 --> 00:00:30,990
for example, you may want to have an uppercase letter,

14
00:00:30,990 --> 00:00:34,670
lowercase letter, number, non-alphanumeric characters,

15
00:00:34,670 --> 00:00:37,280
for example a question mark and so on.

16
00:00:37,280 --> 00:00:39,360
Then you can allow or not, IAM users

17
00:00:39,360 --> 00:00:41,380
to change their own passwords

18
00:00:41,380 --> 00:00:43,370
or you can require users to change their password,

19
00:00:43,370 --> 00:00:46,000
after some time, to make your password expired, for example,

20
00:00:46,000 --> 00:00:50,040
to say every 90 days, users have to change their passwords.

21
00:00:50,040 --> 00:00:52,900
Finally, you can also prevent password reuse

22
00:00:52,900 --> 00:00:54,810
so that users when they change their passwords,

23
00:00:54,810 --> 00:00:57,120
don't change it to the one they already have

24
00:00:57,120 --> 00:00:59,490
or change it to the one they had before.

25
00:00:59,490 --> 00:01:02,650
So this is great, a password policy, really is helpful,

26
00:01:02,650 --> 00:01:05,310
against brute force attacks on your accounts.

27
00:01:05,310 --> 00:01:07,630
But there's a second defense mechanism

28
00:01:07,630 --> 00:01:09,970
that you need to know, going into the exam,

29
00:01:09,970 --> 00:01:13,600
and this is the Multi Factor Authentication or MFA.

30
00:01:13,600 --> 00:01:16,250
It is possible you already to use it, on some websites,

31
00:01:16,250 --> 00:01:20,500
but on AWS it's a must and it's very recommended to use it.

32
00:01:20,500 --> 00:01:23,790
So, users have access to your account,

33
00:01:23,790 --> 00:01:25,910
and they can possibly do a lot of things,

34
00:01:25,910 --> 00:01:27,920
especially if they're, administrators,

35
00:01:27,920 --> 00:01:31,050
they can change configuration, delete resources

36
00:01:31,050 --> 00:01:32,250
and other things.

37
00:01:32,250 --> 00:01:35,620
So you absolutely want to protect at least

38
00:01:35,620 --> 00:01:39,900
your Root Accounts and hopefully all your IAM users.

39
00:01:39,900 --> 00:01:42,380
So how do you protect them on top of the password?

40
00:01:42,380 --> 00:01:44,560
Well, you use an MFA device.

41
00:01:44,560 --> 00:01:46,060
So what is MFA?

42
00:01:46,060 --> 00:01:50,920
MFA is using the combination of a password that you know,

43
00:01:50,920 --> 00:01:53,830
and a security device that you own,

44
00:01:53,830 --> 00:01:55,660
and these two things together,

45
00:01:55,660 --> 00:01:58,510
have a much greater security than just a password.

46
00:01:58,510 --> 00:02:00,450
So for example, let us take Alice.

47
00:02:00,450 --> 00:02:02,450
Alice knows her password,

48
00:02:02,450 --> 00:02:05,910
but she also has an MFA generating token,

49
00:02:05,910 --> 00:02:09,050
and by using these things together while logging in,

50
00:02:09,050 --> 00:02:12,660
she is going to be able to do a successful login on MFA.

51
00:02:12,660 --> 00:02:15,840
So the benefit of MFA is that even if Alice

52
00:02:15,840 --> 00:02:19,400
has lost her password, because it's stolen or it's hacked,

53
00:02:19,400 --> 00:02:22,360
the account will not be compromised because the hacker,

54
00:02:22,360 --> 00:02:25,370
will need to also get a hold of the physical device

55
00:02:25,370 --> 00:02:29,140
of Alice that could be a phone for example to do a login.

56
00:02:29,140 --> 00:02:31,890
Obviously, that is much less likely.

57
00:02:31,890 --> 00:02:35,430
So what are the MFA devices option in AWS

58
00:02:35,430 --> 00:02:37,330
and you should know them going to the exam

59
00:02:37,330 --> 00:02:39,560
but don't worry they're quite simple.

60
00:02:39,560 --> 00:02:41,780
The first one is a Virtual MFA device,

61
00:02:41,780 --> 00:02:43,720
this is what we'll be using in the hands on

62
00:02:43,720 --> 00:02:46,825
and so you can use Google Authenticator,

63
00:02:46,825 --> 00:02:48,650
which is just working on one phone at a time,

64
00:02:48,650 --> 00:02:50,980
or using Authy which is multi-device

65
00:02:50,980 --> 00:02:53,510
they both work the same except one is multi-device.

66
00:02:53,510 --> 00:02:56,100
And personally I use Authy because I like the fact that

67
00:02:56,100 --> 00:02:58,660
I can use it on my computer and on my phones.

68
00:02:58,660 --> 00:03:01,200
So, for Authy you have support

69
00:03:01,200 --> 00:03:04,170
for multiple tokens on a single device.

70
00:03:04,170 --> 00:03:06,740
So, that means that with a Virtual MFA device,

71
00:03:06,740 --> 00:03:09,430
you can have your root account, your IAM user,

72
00:03:09,430 --> 00:03:11,380
and another account, and another IAM user,

73
00:03:11,380 --> 00:03:12,920
its up to you, you can have as many users

74
00:03:12,920 --> 00:03:15,700
and accounts as you want on your Virtual MFA device,

75
00:03:15,700 --> 00:03:19,060
which make it a very easy solution to use.

76
00:03:19,060 --> 00:03:20,230
Now we have another thing called

77
00:03:20,230 --> 00:03:24,050
a Universal 2nd Factor or U2F Security Key,

78
00:03:24,050 --> 00:03:26,440
and that is a physical device, for example,

79
00:03:26,440 --> 00:03:30,680
a YubiKey by Yubico and Yubico is a 3rd party to AWS,

80
00:03:30,680 --> 00:03:33,590
this is mot the AWS that provided, this is a 3rd party

81
00:03:33,590 --> 00:03:35,720
and we use a physical device,

82
00:03:35,720 --> 00:03:38,680
because maybe it's super easy, you put it your Key Fobs

83
00:03:38,680 --> 00:03:39,920
and you're good to go.

84
00:03:39,920 --> 00:03:43,850
So this YubiKey supports multiple root and IAM users

85
00:03:43,850 --> 00:03:46,400
using a single security so you don't need as many keys

86
00:03:46,400 --> 00:03:48,990
as users otherwise that will be a nightmare.

87
00:03:48,990 --> 00:03:50,470
Then your other options,

88
00:03:50,470 --> 00:03:52,770
you have a Hardware Key Fob MFA device

89
00:03:52,770 --> 00:03:54,560
for example this one provided by Gemalto

90
00:03:54,560 --> 00:03:57,073
which is also a third party to AWS

91
00:03:57,950 --> 00:04:02,370
and finally, if you are using the cloud of the government

92
00:04:02,370 --> 00:04:06,730
in the US, the AWS GovCloud then you have a special Key Fob,

93
00:04:06,730 --> 00:04:09,150
that looks like this, that is provided by SurePassID

94
00:04:09,150 --> 00:04:11,230
which is also a 3rd party.

95
00:04:11,230 --> 00:04:12,840
So that's it, we've seen the theory

96
00:04:12,840 --> 00:04:14,330
on how to protect your account,

97
00:04:14,330 --> 00:04:16,399
but let's go to the next lecture to implement that.

98
00:04:16,399 --> 00:04:18,300
So I will see you in the next lecture.