About Me

My photo
JHC Technology is a Service Disabled, Veteran-Owned, Small Business based in the Washington, DC Metro area. Our primary focus is to offer customized solutions and IT consulting to our Commercial and Government clients. Our experts have a broad experience delivering and managing Microsoft Enterprise applications and Cloud and Virtualization Solutions, as well as mobilizing Enterprise data.

Tuesday, October 29, 2013

Enabling MFA on your AWS account

One of the key components to cloud security and a question we hear all the time is around the use of multi-factor authentication (MFA).  Implementing MFA is considered more secure than a simple user name and password, because it requires anyone logging in to have something they know (user name and password) and something they have (MFA device). 

Implementing MFA on the Root Account is even more important to ensure the integrity of the entire environment.  JHC Technology always recommends protecting the Root Account.  To do this, we create various security groups and users under the Root Account.  Access is then controlled by the security groups and IAM users.  For more on IAM and assigning permissions, please click here.

MFA devices can either be physical or virtual.  For this entry, I’m going to walk you through the steps to implement an Android virtual MFA with an Amazon Web Services (AWS) account.

This entry does not cover the creation of an AWS account.  If you haven’t created an account, visit http://aws.amazon.com.  Before we get started, it’s also important to have downloaded and installed two applications:  AWS Virtual MFA and ZXing Barcode Scanner (both are free).  Before beginning, I highly encourage the review of the MFA FAQs, located here.

Let’s get started:
  1. Sign in to your AWS Account:   
  2. Select IAM from the Management Console.  
  3. Under Security Status, you will see that the Root Account MFA is Disabled.  Click on “Manage MFA Device”.  
  4. We are activating a virtual MFA device.  Ensure this option is selected and click Continue.  
  5. Since we have already installed the AWS MFA-compatible application, select Continue.   
  6. You will be prompted by the following screen, which is where you need to utilize your Virtual MFA Device.  Do not close this window.  
  7. Launch the AWS Virtual MFA from your Android device.
  8. Click on your device’s menu button and select Scan QR Code.
  9. Once this code is scanned, it will present your associated account on the MFA application.
  10. Now you are prepared to finishing authorizing your device.  Looking back at your browser window, you will see that in order to synchronize the device, you need to enter two consecutive Authentication Codes.  You will use your Virtual MFA to generate these codes.
  11. Tap the account name on your Virtual MFA.  It will generate a six digit code such as this:    
  12. Enter this code into Authentication Code 1 in your browser.  
  13. Tap your account name on the Virtual MFA to generate another six-digit code. If it’s the same code, you’ll need to tap the name again until the code changes.  Keep in mind that the codes need to be consecutive, so you can’t wait five minutes in between entering codes.  
  14. Once you generate the next code, enter that into the browser under Authentication Code 2.  Once you’ve done this, select Continue.
  15. If you have entered the consecutive codes appropriately, you will get validation.  Click Finish.  
  16. Now you need to test the MFA authentication.   
  17. Logout of your account.
  18. Begin the process of signing back into your account.  Once you have entered your associated email address and password, you will be prompted by a second screen.  
  19. Open your Virtual MFA application and tap the associated account.  This will generate your six-digit code to enter.  Enter that number in the Authentication Code field and then click the link to sign-in.
Setting up MFA on your root account is a security best practice that is monitored by AWS’s Trusted Advisor (available to customers with Business Level support) and to third-party products such as CloudCheckr.

A few additional notes:

Matt Jordan is the Cloud Services Manager for JHC Technology.  He can be reached at mjordan(at)jhctechnology.com, @matt_jhc, or connect with him on LinkedIn.

Friday, October 25, 2013

JHC Technology's Best Practices for Amazon Web Services

JHC Technology has utilizing Amazon Web Services (AWS) since its beginning in 2010, and is now an Authorized Government Partner, an Advanced Consulting Partner and a Channel Reseller for AWS. 

Not only do we recommend AWS as the Infrastructure as a Service (IaaS) platform for our clients but I am happy to say that JHC has never purchased any datacenter equipment/infrastructure for our internal systems or operations.  

All JHC infrastructure has been deployed in the AWS cloud platform since we started to include:  
  • Blackberry Enterprise Server, 
  • Exchange
  • SharePoint
  • Active Directory
  • Citrix
  • Test/Development environments

Through the course of the last three years, I have been mentally drawing up a list of JHC best practices for deploying solutions/datacenter operations on the Amazon Web Services platform.   Below are a few examples:
  • Fail quickly, often, and cheaply.
  • Architect a Zero Trust Model for your AWS Solution.
  • Own your AWS accounts and use consolidated billing with a trusted AWS reseller.
  • Design for Disaster Recovery and High Availability for both AWS infrastructure and applications deployed on AWS infrastructure.
  • Utilize AWS Storage Gate, S3, and Glacier for full lifecycle backup and restores.
  • Put in place least privilege administration security policies for AWS Identity and Access Management.
  • Do not take a cloud and/or Infrastructure as a Service only posture.  Consider hybrid Cloud solutions that utilize on premise infrastructure, Platform as a service, and/or Software as a Service that integrate with your AWS solution.
  • Architect for least viable solution and use business rules to auto scale up and down.
  • Deploy your Development and User Acceptance Testing environments on AWS.  Design solution to turn on environments only when needed and automate shut down of environments.
  • Deploy your infrastructure inside Virtual Private Cloud that crosses multiple availability zones within an AWS region.
  • Decouple compute and storage when possible but realize that most clients’ applications can’t be deployed in this manner.  Consider deploying legacy applications inside AWS and provide roadmap for refactoring to make application more AWS cloud friendly/efficient.
James Hirmas is the CEO for JHC Technology.  He can be reached at jhirmas(at)jhctechnology.com,@JHC_JamesHirmas, or connect with him on LinkedIn.