Direkt zum Inhalt
Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post
Über re:Post

Do "Passkey or security key" MFA devices for the root user satisfy the Security Hub IAM.6 requirement?

0

For compliance and security, we need to use Hardware MFA devices as specified by IAM.6, "Hardware MFA should be enabled for the root user". The description reads:

This AWS control checks whether your AWS account is enabled to use a hardware multi-factor authentication (MFA) device to sign in with root user credentials.

The "Assign MFA" page lists three options:

  • Passkey or security key
  • Authenticator app
  • Hardware TOTP token

As we're currently in procurement for a solution, we need confirmation that "Passkey or security key" satisfies the IAM.6 requirement, or if instead only the Hardware TOTP device is accepted. Would a FIPS-compliant Yubikey such as this one suffice for the security requirement?

If it is the case that only the TOTP token satisfies the IAM.6 requirement, how is a non-US entity supposed to procure one, given that only two devices from Thales are listed and neither are available in our current operating country (EU)? If this is not the case, you can ignore this secondary question.

Themen
Sicherheit, Identität & Konformität
Tags
AWS Sicherheits-Portal
Sprache
English
gefragt vor einem Jahr288 Aufrufe
1 Antwort
0

In addition to hardware TOTP token, passkey or security key will meet the requirement for IAM.6 control in Security Hub.

For example, a passkey using Chrome profile or a FIDO2 security key configured for the root user will generate a PASSED check for IAM.6 control.

Please refer the below links for more information on FIDO2 security key support in IAM. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_fido_supported_configurations.html#id_credentials_mfa_fido_supported_devices https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_mfa-fido.html

For supported Yubico devices, please use this link and search for FIDO2 specification keys https://fidoalliance.org/certification/fido-certified-products/

AWS
SUPPORT-TECHNIKER
beantwortet vor einem Jahr

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Relevanter Inhalt