Note: Please go to docs.rightscale.com to access the current RightScale documentation set. Also, feel free to Chat with us!
Home > Security > FAQs > Does RightScale support AWS Multi-Factor Authentication?

Does RightScale support AWS Multi-Factor Authentication?

Table of Contents
  1. Background
  2. Answer

Background

RightScale is a separate platform than the clouds it manages, and thus has its own Authentication and Authorization mechanisms. However, we do support Multi-Factor Authentication through our support of SAML and identity federation.

Answer

RightScale currently does not support AWS MFA as an authentication mechanism in the RightScale dashboard.

However, the RightScale Cloud Management Platform supports the following end-user authentication mechanisms:

  • Username and password (password length/complexity and lockout policies are enforced).
  • Single Sign-On using SAML or OpenID.
  • OAuth 2.0 refresh token (for API access only).

 

By leveraging SAML, RightScale can integrate with customer identity platforms such as Active Directory (ADDS and ADFS) or third-party identity platforms such as Okta, Ping, OneLogin, and others.

Two-factor authentication for access to RightScale can be implemented in a federated manner through any of the above identity management platforms or via OpenID.

You may leverage IP whitelisting capabilities in the RightScale platform to limit access to RightScale Cloud Management based on user IP address. Whitelisting policies apply to both the RightScale UI and API.

A session timeout is in place, and inactive sessions are invalidated after a period of inactivity. The session timeout is two hours for inactive sessions, and this timeout applies to both UI and API sessions. See User and Account Management.

 

Note for Amazon Web Services

There are two cases for using AWS MFA on an AWS account:

  1. When logging into the AWS Console (not the RghtScale dashboard)

  2. When accessing the AWS API

RightScale uses API interactions between the RightScale gateway and the AWS API endpoint, so enabling AWS MFA for AWS console access (use case #1) has no effect on RightScale operations or access. However, if a user enables AWS MFA for API access (use case #2), this will break RightScale's ability to communicate with the AWS API endpoint. The main issue is  when enabling AWS MFA for API access, the tokens are short lived (36 hours max at this time). Per http://docs.aws.amazon.com/IAM/lates...tectedAPI.html: "MFA-protected API access is available only to services that support temporary security credentials"

 

Since RightScale must have long term API access, the user would have to enter new credentials every day and a half (36 hrs), which isn't practical. MFA-protected API access only controls access for IAM users. Root accounts are not bound by IAM policies, which is why AWS recommends that you create IAM users to interact with AWS service APIs rather than use root account credentials. To learn how you can use IAM in RightScale, see Can I use AWS Identity and Access Management (IAM) to further restrict user access?

 

 

You must to post a comment.
Last modified
14:06, 4 Jun 2014

Tags

Classifications

This page has no classifications.

Announcements

None

Powered by MindTouch ®

© 2006-2014 RightScale, Inc. All rights reserved.
RightScale is a registered trademark of RightScale, Inc. All other products and services may be trademarks or servicemarks of their respective owners.