IA-2 (1) The information system implements multifactor authentication for network access to privileged accounts.
AWS Multi-Factor Authentication (AWS MFA) provides an extra level of security that customer agencies apply to their AWS environment. Customer agencies can enable AWS MFA for their account and for individual users they have created under their account. With AWS MFA enabled a user that signs into the FedCloud Console will be prompted for their username and password, as well as for an authentication code from their MFA device. Taken together, these multiple factors provide increased security for customer agencies’ AWS account settings and resources.
Virtual EC2 instances are completely controlled by the customer agency. Customers have full root access or administrative control over accounts, services, and applications. AWS does not have any access rights to customer instances and cannot log into the guest OS.
AWS recommends a base set of security best practices to include disabling password-only access to their servers, and utilizing multi-factor authentication to gain access to their instances (or at a minimum certificate-based SSH Version 2 access)
System owners of applications and websites supported by 18F must ensure administrator access to applications utilize MFA.
Public websites and applications that have no sensitive or private information are not required to implement MFA for general users.