I need to host stuff for a financial institution on EC2. The bank wants complete Two Factor Authentication so Stuff like having SSH with a key with password. Something like SecureID or similar would be great. How can I effectively create two factor authentication across SSH to my EC2 environment?
Also could I consider OpenVPN as part of the Two Factor encyption?
With duo_unix, you can add two-factor authentication for any SSH login method, and with the Duo OpenVPN integration, you can add two-factor authentication to OpenVPN.
Disclaimer, I work for Duo.
AWS has recently announced Resource-Level Permissions for Amazon EC2 and Amazon RDS to address this long standing shortcoming of IAM support within EC2 and RDS mentioned in my original answer below:
Today we are making IAM even more powerful with the introduction of resource-level permissions for Amazon EC2 and Amazon RDS. [...]
On the EC2 side, you can now construct and use IAM policies to control access to EC2 instances, EBS volumes, images, and Elastic IP addresses. [...]
Here are just a few of things that you can do:
- Allow users to act on a limited set of resources within a larger, multi-user EC2 environment.
- Set different permissions for "development" and "test" resources.
- Control which users can terminate which instances.
- Require additional security measures, such as MFA authentication, when acting on certain resources. [emphasis mine]
As emphasized, using MFA when acting on certain resources is now possible for EC2 instances too, so you could e.g. limit stopping and termination of an EC2 instance to a user who is authenticated by username/password and an authentication code from an MFA device.
Two-factor authentication similar to SecurID is readily available via AWS Identity and Access Management (IAM) by means of the AWS Multi-Factor Authentication. Whether this actually applies to your question depends on your particular use case though, i.e. what scenarios you need to protect with two-factor authentication (e.g. the mentioned SSH access vs. AWS Management Console access vs. access to websites you host on EC2 in return etc.).
Specifically, IAM covers access to the AWS Management Console but obviously not SSH, in addition EC2 is one of the AWS products, where IAM does not apply at the resource level, rather only at the service level, see Integrating with Other AWS Products and Using AWS Identity and Access Management with EC2, especially the following disclaimer:
Important
Amazon EC2 uses SSH keys, Windows passwords, and security groups to control who has access to specific Amazon EC2 instances. You can't use the IAM system to allow or deny access to a specific instance.
Please note that IAM usage is highly recommended for anything AWS regardless of multifactor-authentication.
Finally I'd like to highlight two more recent additions to IAM potentially helpful regarding your use case as well:
You will need to secure access to the EC2 console with two-factor. There you are at the mercy of Amazon. For SSH access, you can do lots of options. You can do SSH keys and require that the keys have a password. However, note that there is nothing to keep someone from writing an SSH client that lies about the cert having a password. SSH is great from a security PoV, but it doesn't always pass muster for regulatory requirements. For example, the keys might need to be re-generated periodically. SSH doesn't support that.
PAM radius is your friend if you decide to use a two-factor auth system: http://www.wikidsystems.com/support/wikid-support-center/how-to/pam-radius-how-to
hth,
EC2 now has 2 factor authentication to it's services which is an important first step.
However, anything hosted on a cloud service that you don't own should be considered insecure at best.
The reason being is you have a virtual machine, with shared memory and shared resources. With EC2, you don't know where the data resides or how it's effectively stored. You may find that your VPS is shared with other VPS's from other organisations.
So if you're going to store financial data on EC2 in an EBS drive you should encrypt it.
But while you might think this is therefore secure, you are only as secure as your weakest link.
To quote another source because he says it well.
... but VM instances often share physical hardware with other instances, and since EC2 is a public service, those co-resident VMs may not be entirely friendly. The major threat here is, of course, software vulnerabilities -- things that can let an attacker break out of one VM and into another. But even if you perfect the software, there's another more insidious threat: namely, that the attacker VM instance could be able to run a side-channel attack on the co-resident VM.
Which would make 2 factor authentication useless against this type of attack.
Now if you can live with that, how do you do it? This stackoverflow question/answer provides you with some answers on using google authenticator which is one of the better ones.
But there are many 2 factor authentication options out there, some require hardware keyfobs and others like google authenticator use your mobile phone. The bank or financial institution may actually mandate which 2 factor authentication method they will allow.
OpenID is a great idea in that it allows you to use your openid to log into many services. But it's also flawed because it allows a single login to gain access to many things. A quick Google and I found http://wikid.com/ which uses OpenID and 2 factor authentication. I'd be hesitant to use it in your particular case.
By the way, are you going to be accepting payments from credit cards? You may find you need to be PCI compliant and I'm not entirely sure if you will be able to be compliant on an EC2 instance. They are quite strict, but for good reason. There are ways to reduce your risks though by not directly accepting card payments and not storing credit card data but by going through a 3rd party payment provider service that your website can interact with.
If you are a merchant that accepts payment cards, you are required to be compliant with the PCI Data Security Standard. You can find out your exact compliance requirements only from your payment brand or acquirer. However, before you take action, you may want to obtain background information and a general understanding of what you will need to do from the information and links here.
EC2 allows you to setup your machines with different SSH certificates that you can create, the easiest solution for you would be to just create one that requires a password.
Also be aware of the security limitations of EC2, the security is peripheral and you don't know which machines are doing what inside so place strict security to communicate between machines, some strong encryption VPN (OpenVPN or stunnel) is highly desired for this.
