AWS provides a variety of features that can be used to keep AWS Account and resources safe from unauthorized use. This includes credentials for access control, HTTPS endpoints for encrypted data transmission, the creation of separate IAM user accounts, user activity logging for security monitoring, and Trusted Advisor security checks.
AWS uses several types of credentials for authentication. These include passwords, cryptographic keys, digital signatures, and certificates. AWS also provide the option of requiring multi-factor authentication (MFA) to log into your AWS Account or IAM user accounts.
Following are the various AWS credentials and their uses.
Passwords: Password is used to log into AWS account, IAM account, discussion forum and the support center. It can be created during signup to AWS account for root admin account. All other user account password will be specified by administrator with option to allow to change on first time used by IAM user. Passwords can be changed any time using security credentials page.
AWS Multi-Factor Authentication (MFA): AWS Multi-Factor Authentication (MFA) is an additional optional feature security for accessing AWS services. It requires a six-digit single-use code in along with user name and password to access AWS Account settings or AWS services and resources. This is called multi-factor authentication because more than one authentication factor is checked before access is granted: a password (something you know) and the precise code from your authentication device. it can be enable using a MFA devices for an AWS Account as well as for the users that have created using AWS IAM. AWS MFA supports the use of both hardware tokens and virtual MFA devices. Virtual MFA devices use the same protocols as the physical MFA devices, but can run on any mobile hardware device, including a smartphone. A virtual MFA device uses a software application that generates six-digit authentication codes that are compatible with the Time-Based One-Time Password (TOTP) standard. Most virtual MFA applications allow to host more than one virtual MFA device, which makes them more convenient than hardware MFA devices. However, you should be Amazon Web Services Amazon Web Services:You can also enforce MFA authentication for AWS service APIs in order to provide an extra layer of protection over powerful or privileged actions such as terminating Amazon EC2 instances or reading sensitive data stored in Amazon S3. You do this by adding an MFA-authentication requirement to an IAM access policy. You can attach these access policies to IAM users, IAM groups, or resources that support Access Control Lists (ACLs) like Amazon S3 buckets, SQS queues, and SNS topics. It is easy to obtain hardware tokens from a participating third-party provider or virtual MFA applications from an AppStore and to set it up for use via the AWS website.
Access Keys: Access key is a digitally signed requests which must be included to access AWS APIs (using the AWS SDK, CLI, or REST/Query APIs) to verify the identity of the requestor. Aj AWS user calculate the digital signature using a cryptographic hash function. The input to the hash function in this case includes the text of request and secret access key. It will be calculated automatically by AWS on use any of the AWS SDKs to generate requests otherwise, you can have your application calculate it and include it in your REST or Query requests.
The most recent version of the digital signature calculation process is Signature Version 4, which calculates the signature using the HMAC-SHA256 protocol. Version 4 provides an additional measure of protection over previous versions by requiring that you sign the message using a key that is derived from your secret access key rather than using the secret access key itself. In addition, you derive the signing key based on credential scope, which facilitates cryptographic isolation of the signing key.
Access key is very sensitive and should be saved at a safe place. An unauthorized person can misuse this if they fall in wrong hand. A customer with large fleets of elastically scaling EC2 instances, the use of IAM roles can be a more secure and convenient way to manage the distribution of access keys. IAM roles provide temporary credentials, which not only get automatically loaded to the target instance, but are also automatically rotated multiple times a day.
Key Pairs: A key pair is required to connect to an EC2 instance launched from a public AMI for SSH login to EC2 instances CloudFront signed URLs. The supported lengths are 1024, 2048, and 4096. If you connect using SSH while using the EC2 Instance Connect API, the supported lengths are 2048 and 4096. You can have a key pair generated automatically for you when you launch the instance or you can upload your own. It can be generated automatically during launch of a instance. Private key should be saved in a safe place.
X.509 Certificates: X.509 certificates are only used to sign SOAP-based requests (currently used only with Amazon S3). AWS create an X.509 certificate and private key. Private key should be used by consumer of API request to establish connection. AWS will reject all connection with missing or invalid private key. X.509 certificates are used as SSL/TLS server certificates for customers who want to use HTTPS to encrypt their transmissions. Private key will be used to create the Certificate Signing Request (CSR) that must be submitted to a certificate authority (CA) to obtain the server certificate. Server certificate, private key and certificate chain will be uploaded using AWS CLI to IAM.