Enabling multi-factor authentication for Amazon Managed Microsoft AD
You can enable multi-factor authentication (MFA) for your Amazon Managed Microsoft AD directory to increase security when your users specify their AD credentials to access Supported Amazon Enterprise applications. When you enable MFA, your users enter their username and password (first factor) as usual, and they must also enter an authentication code (the second factor) they obtain from your virtual or hardware MFA solution. These factors together provide additional security by preventing access to your Amazon Enterprise applications, unless users supply valid user credentials and a valid MFA code.
To enable MFA, you must have an MFA solution that is a Remote authentication dial-in user service
RADIUS is an industry-standard client/server protocol that provides authentication, authorization, and accounting management to enable users to connect to network services. Amazon Managed Microsoft AD includes a RADIUS client that connects to the RADIUS server upon which you have implemented your MFA solution. Your RADIUS server validates the username and OTP code. If your RADIUS server successfully validates the user, Amazon Managed Microsoft AD then authenticates the user against Active Directory. Upon successful Active Directory authentication, users can then access the Amazon application. Communication between the Amazon Managed Microsoft AD RADIUS client and your RADIUS server require you to configure Amazon security groups that enable communication over port 1812.
You can enable multi-factor authentication for your Amazon Managed Microsoft AD directory by performing the following procedure. For more information about how to configure your RADIUS server to work with Amazon Directory Service and MFA, see Multi-factor authentication prerequisites.
Considerations
The following are some considerations for multi-factor authentication for your Amazon Managed Microsoft AD:
-
Multi-factor authentication is not available for Simple AD. However, MFA can be enabled for your AD Connector directory. For more information, see Enabling multi-factor authentication for AD Connector.
-
MFA is a Regional feature of Amazon Managed Microsoft AD. If you are using Multi-Region replication, you'll only be able to use MFA in the Primary Region of your Amazon Managed Microsoft AD.
-
If you intend to use Amazon Managed Microsoft AD for external communications, we recommend you configure a Network Address Translation (NAT) Internet Gateway or Internet Gateway outside of the Amazon network for these communications.
-
If you wish to support external communications between your Amazon Managed Microsoft AD and your RADIUS server hosted on the Amazon network, please contact Amazon Web Services Support
.
-
-
All Amazon Enterprise IT applications including WorkSpaces, Amazon WorkDocs, Amazon WorkMail, Amazon QuickSight, and access to Amazon IAM Identity Center and Amazon Web Services Management Console are supported when using Amazon Managed Microsoft AD and AD Connector with MFA. These Amazon applications using MFA are not supported in multi-regions.
For more information, seeHow to enable multi-factor authentication for Amazon services by using Amazon Managed Microsoft AD and on-premises credentials
. -
For information about how to configure basic user access to Amazon Enterprise applications, Amazon Single Sign-On and the Amazon Web Services Management Console using Amazon Directory Service, see Access to Amazon applications and services from your Amazon Managed Microsoft AD and Enabling Amazon Web Services Management Console access with Amazon Managed Microsoft AD credentials.
-
See the following this Amazon Security Blog post to learn how to enable MFA for Amazon WorkSpaces users on your Amazon Managed Microsoft AD, How to enable multi-factor authentication for Amazon services by using Amazon Managed Microsoft AD and on-premises credentials
-
Enable multi-factor authentication for Amazon Managed Microsoft AD
The following procedure shows you how to enable multi-factor authentication for Amazon Managed Microsoft AD.
-
Identify the IP address of your RADIUS MFA server and your Amazon Managed Microsoft AD directory.
-
Edit your Virtual Private Cloud (VPC) security groups to enable communications over port 1812 between your Amazon Managed Microsoft AD IP end points and your RADIUS MFA server.
-
In the Amazon Directory Service console
navigation pane, select Directories. -
Choose the directory ID link for your Amazon Managed Microsoft AD directory.
-
On the Directory details page, do one of the following:
-
If you have multiple Regions showing under Multi-Region replication, select the Region where you want to enable MFA, and then choose the Networking & security tab. For more information, see Primary vs additional Regions.
-
If you do not have any Regions showing under Multi-Region replication, choose the Networking & security tab.
-
-
In the Multi-factor authentication section, choose Actions, and then choose Enable.
-
On the Enable multi-factor authentication (MFA) page, provide the following values:
- Display label
-
Provide a label name.
- RADIUS server DNS name or IP addresses
-
The IP addresses of your RADIUS server endpoints, or the IP address of your RADIUS server load balancer. You can enter multiple IP addresses by separating them with a comma (e.g.,
192.0.0.0,192.0.0.12
).Note
RADIUS MFA is applicable only to authenticate access to the Amazon Web Services Management Console, or to Amazon Enterprise applications and services such as WorkSpaces, Amazon QuickSight, or Amazon Chime. Amazon Enterprise applications and services are only supported in the Primary Region if Multi-Region replication is configured for your Amazon Managed Microsoft AD. It does not provide MFA to Windows workloads running on EC2 instances, or for signing into an EC2 instance. Amazon Directory Service does not support RADIUS Challenge/Response authentication.
Users must have their MFA code at the time they enter their user name and password. Alternatively, you must use a solution that performs MFA out-of-band such as push notification or authenticator one-time passwords (OTP) for the user. In out-of-band MFA solutions, you must make sure you set the RADIUS time-out value appropriately for your solution. When using an out-of-band MFA solution, the sign-in page will prompt the user for an MFA code. In this case, users must enter their password in both the password field and the MFA field.
- Port
-
The port that your RADIUS server is using for communications. Your on-premises network must allow inbound traffic over the default RADIUS server port (UDP:1812) from the Amazon Directory Service servers.
- Shared secret code
-
The shared secret code that was specified when your RADIUS endpoints were created.
- Confirm shared secret code
-
Confirm the shared secret code for your RADIUS endpoints.
- Protocol
-
Select the protocol that was specified when your RADIUS endpoints were created.
- Server timeout (in seconds)
-
The amount of time, in seconds, to wait for the RADIUS server to respond. This must be a value between 1 and 50.
Note
We recommend configuring your RADIUS server timeout to 20 seconds or less. If the timeout exceeds 20 seconds, the system cannot retry with another RADIUS server and may result in a timeout failure.
- Max RADIUS request retries
-
The number of times that communication with the RADIUS server is attempted. This must be a value between 0 and 10.
Multi-factor authentication is available when the RADIUS Status changes to Enabled.
-
Choose Enable.