Documentation
Duo Two-Factor Authentication for AWS Directory Service
Last Updated: October 31st, 2024Contents
Amazon Web Services (AWS) has partnered with Duo Security to provide two-factor authentication for AWS Directory Service logins.
AWS is a secure cloud services platform that offers a broad set of global compute, storage, database, analytics, application, and deployment services that help organizations move faster, lower IT costs, and scale applications as they grow.
This AWS Quick Start deploys a configurable number of Duo Authentication Proxy Fargate servers within AWS and adds these newly created Duo Authentication Proxy servers as multi-factor authentication servers, via RADIUS, within the specified AWS Directory Service. In this type of configuration, users see an additional MFA Code field, in which they enter the name of a Duo factor, like push or phone, or enter a passcode generated by Duo Mobile or a hardware token.
This configuration doesn't support inline self-service enrollment. You'll need to create your users in Duo ahead of time using one of our other enrollment methods, like directory sync or CSV import. Read the enrollment documentation to learn more.
This application communicates with Duo's service on SSL TCP port 443.
Firewall configurations that restrict outbound access to Duo's service with rules using destination IP addresses or IP address ranges aren't recommended, since these may change over time to maintain our service's high availability. If your organization requires IP-based rules, please review Duo Knowledge Base article 1337.
Effective June 30, 2023, Duo no longer supports TLS 1.0 or 1.1 connections or insecure TLS/SSL cipher suites. See Duo Knowledge Base article 7546 for additional guidance.
First Steps
- Sign up for a Duo account.
- Log in to the Duo Admin Panel and navigate to Applications → Protect an Application.
- Locate the entry for AWS Directory Services in the applications list. Click Protect to the far-right to configure the application and get your integration key, secret key, and API hostname. You'll need this information to complete your setup. See Protecting Applications for more information about protecting applications in Duo and additional application options.
The security of your Duo application is tied to the security of your secret key (skey). Secure it as you would any sensitive credential. Don't share it with unauthorized individuals or email it to anyone under any circumstances!
Configure Duo in AWS Directory Service
Refer to the Duo MFA on the AWS Cloud Quick Start Reference Deployment to add Duo MFA to AWS Directory Service logins.
Troubleshooting
Need some help? Reach out to Duo Support for assistance with creating the AWS Directory Service application in Duo, enrolling users, policy questions, or authentication approval issues. For assistance configuring or managing AWS Directory Service, or with AWS Lambda, Fargate, or CloudFormation, please contact AWS Support.