This whitepaper is for historical reference only. Some content might be outdated and some links might not be available.

Requirement 4 - Prevent compromise of credentials

Password policy

AWS Secrets Manager is the recommended service to safely store the passwords that are utilized in the SWIFT secure zone.

Refer to Physical and logical password storage in this document for details on AWS Secrets Manager. It is your responsibility to define the password policy and enforce it.

To access AWS in a typical enterprise environment, use a federated login to AWS from the corporate identity provider. In this scenario, the authentication and password policy of the SWIFT operator PC / Accounts is enforced within the corporate security policy.

You are responsible for configuring operating system level access to EC2 instances. By leveraging AWS Systems Manager Session Manager, you would no longer have to manage passwords for human operators on your EC2 instances. For the service accounts that run applications on the OS, it is your responsibility to maintain the password policy for the users.

Multi-factor authentication

Multi-factor authentication (MFA) is mandated for the jump server for accessing the SWIFT secure zone. In the case where AWS Systems Manager Session Manager is utilized for accessing the SWIFT secure zone, you can create an AssumeRole trust policy to enforce MFA when federation is used. Refer to MFA-for-SAML.

The AWS root user of the AWS account also has access to the SWIFT secure zone using AWS Systems Manager Session Manager by default. You can disable the root user using SCPs to block the root user. Refer to the example, “Block service access for the root user” on the Example service control policies page. You should enable MFA for the root user. Refer to Enable MFA on the AWS account root user. The following diagram illustrates an example multi-account structure with SWIFT accounts and OU with “Block service access for the root user” SCP applied.