Your company has set up the AWS Managed Microsoft AD directory.
Users log in to the AWS console using their AD credentials.
They want you to add a security layer for authentication.
How can you achieve this?
Click on the arrows to vote for the correct answer
A. B. C. D.Answer: B.
Option A is incorrect because the username and password are the first levels of authentication and the ask would be for an additional layer of authentication after the user credentials.
Option B is CORRECT because you can enable multi-factor authentication (MFA) for your AWS Managed Microsoft AD directory to increase security when your users specify their AD credentials to access Supported Amazon Enterprise Applications.
When you enable MFA, your users enter their username and password (first factor) as usual.
They must also enter an authentication code (the second factor) they obtain from your virtual or hardware MFA solution.
These factors together provide additional security by preventing access to your Amazon Enterprise applications unless users supply valid user credentials and a valid MFA code.
Option C is incorrect because AWS access keys are used for programmatic access to AWS services via CLI or SDK.
It cannot provide a second layer of authentication via Microsoft AD.Option D is incorrect because MFA needs to be enabled on the AD Directory and not on the AWS IAM service.
Reference:
https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_mfa.htmlTo add a security layer for authentication for users logging into the AWS console using their AD credentials with an AWS Managed Microsoft AD directory, you should enable multi-factor authentication (MFA) for the AWS Managed Microsoft AD directory.
The correct answer is B. Enable multi-factor authentication for your AWS Managed Microsoft AD directory.
Here's a more detailed explanation:
Multi-factor authentication (MFA) provides an extra layer of security for user authentication. MFA requires users to provide an additional piece of information, such as a security token, in addition to their username and password. This additional piece of information makes it more difficult for attackers to gain access to user accounts, even if they have obtained the user's password.
In the context of an AWS Managed Microsoft AD directory, enabling MFA for the directory means that users will be required to provide a second factor of authentication when logging in to the AWS console using their AD credentials.
To enable MFA for an AWS Managed Microsoft AD directory, you can use AWS Directory Service for Microsoft Active Directory, which provides a fully managed directory service that enables you to connect your AWS resources with an on-premises Microsoft Active Directory.
After setting up AWS Directory Service for Microsoft Active Directory, you can enable MFA for the directory by configuring an MFA solution such as AWS Multi-Factor Authentication (MFA). With AWS MFA, users can authenticate using a hardware device, a virtual MFA device in their mobile app, or a text message or voice call to their phone.
Note that option A, allowing users to log in with their username and password, does not add an extra layer of security and is not recommended for securing the AWS console.
Option C, using access keys along with the username and password, is a way to provide programmatic access to AWS resources but is not relevant for securing the AWS console login.
Option D, enabling MFA for the IAM user, would add an extra layer of security for accessing AWS resources through IAM, but it does not apply to logging into the AWS console using AD credentials.