本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
# 多重身份验证
****
- **如果组织的用户向其组织面向互联网的服务进行身份验证,则使用多重身份验证。**
- **实施指导:** [主题 4:管理身份](theme-4.md):实施身份联合验证 / **AWS 资源:** [要求人类用户与身份提供商联合使用临时 AWS 证书进行访问](https://docs.aws.amazon.com/singlesignon/latest/userguide/manage-your-identity-source.html)
[Implement temporary elevated access to your AWS environments](https://aws.amazon.com/blogs/security/managing-temporary-elevated-access-to-your-aws-environment/) / **AWS Well-Architected 指南:** [SEC02-BP04 依赖集中式身份提供商](https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_identities_identity_provider.html)
- **实施指导:** [主题 4:管理身份](theme-4.md):强制执行 MFA / **AWS 资源:** [根用户需要 MFA](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html)
[要求通过 MFA AWS IAM Identity Center](https://docs.aws.amazon.com/singlesignon/latest/userguide/how-to-configure-mfa-device-enforcement.html)
[考虑要求对特定于服务的 API 操作进行 MFA](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples_general.html#example-scp-mfa) / **AWS Well-Architected 指南:** [SEC02-BP01 使用强大的登录机制](https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_identities_enforce_mechanisms.html)
- **如果组织的用户向处理、存储或传输其组织敏感数据的面向互联网的第三方服务进行身份验证,则他们将使用多重身份验证。**
- **实施指导:** 请参阅[实现多重身份验证](https://www.cyber.gov.au/resources-business-and-government/maintaining-devices-and-systems/system-hardening-and-administration/system-hardening/implementing-multi-factor-authentication)(ACSC 网站)
- **AWS 资源:** 不适用
- **AWS Well-Architected 指南:** 不适用
- **如果组织的用户向处理、存储或传输其组织非敏感数据的面向互联网的第三方服务进行身份验证,则他们将使用多重身份验证(可用时)。**
- **如果非组织用户向组织面向互联网的服务进行身份验证,则默认情况下会启用多重身份验证(但用户可以选择退出)。**
- **多重身份验证用于对系统的特权用户进行身份验证。**
- **实施指导:** [主题 4:管理身份](theme-4.md):实施身份联合验证 / **AWS 资源:** [要求人类用户与身份提供商联合使用临时 AWS 证书进行访问](https://docs.aws.amazon.com/singlesignon/latest/userguide/manage-your-identity-source.html)
[Implement temporary elevated access to your AWS environments](https://aws.amazon.com/blogs/security/managing-temporary-elevated-access-to-your-aws-environment/) / **AWS Well-Architected 指南:** [SEC02-BP04 依赖集中式身份提供商](https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_identities_identity_provider.html)
- **实施指导:** [主题 4:管理身份](theme-4.md):强制执行 MFA / **AWS 资源:** [根用户需要 MFA](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html)
[要求通过 IAM Identity Center 进行 MFA](https://docs.aws.amazon.com/singlesignon/latest/userguide/how-to-configure-mfa-device-enforcement.html)
[考虑要求对特定于服务的 API 操作进行 MFA](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples_general.html#example-scp-mfa) / **AWS Well-Architected 指南:** [SEC02-BP01 使用强大的登录机制](https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_identities_enforce_mechanisms.html)
- **多重身份验证用于对访问重要数据存储库的用户进行身份验证。**
- **实施指导:** [主题 4:管理身份](theme-4.md):强制执行 MFA
- **AWS 资源:** [考虑要求对特定于服务的 API 操作进行 MFA](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples_general.html#example-scp-mfa)
- **AWS Well-Architected 指南:** [SEC02-BP01 使用强大的登录机制](https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_identities_enforce_mechanisms.html)
- **多重身份验证可以抵抗验证者冒充攻击,它使用以下两种方式之一:一种是用户拥有的东西与用户知晓的信息相结合,或者是一种用户拥有的、但需要通过用户知晓的信息或用户固有的生物特征来解锁的东西**
- **实施指导:** 请参阅[实现多重身份验证](https://www.cyber.gov.au/resources-business-and-government/maintaining-devices-and-systems/system-hardening-and-administration/system-hardening/implementing-multi-factor-authentication)(ACSC 网站)
- **AWS 资源:** 不适用
- **AWS Well-Architected 指南:** 不适用
- **成功和失败的多重身份验证会集中记录,防止未经授权的修改和删除,监控泄露迹象,并在检测到网络安全事件时采取行动。**
- **实施指导:** [主题 7:集中记录和监控](theme-7.md):启用日志记录
[主题 7:集中记录和监控](theme-7.md):集中日志
- **AWS 资源:** [将 CloudWatch 日志集中到账户中以进行审计和分析](https://aws.amazon.com/blogs/architecture/stream-amazon-cloudwatch-logs-to-a-centralized-account-for-audit-and-analysis/)(AWS 博客文章)
[集中管理 Amazon Inspector](https://docs.aws.amazon.com/inspector/latest/user/managing-multiple-accounts.html)
[集中管理 Security Hub CSPM](https://docs.aws.amazon.com/securityhub/latest/userguide/designate-orgs-admin-account.html)
[Create an organisation-wide aggregator in AWS Config](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/creating-trail-organization.html)(AWS 博客文章)
[集中管理 GuardDuty](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_organizations.html)
[考虑使用 Security Lake](https://docs.aws.amazon.com/security-lake/latest/userguide/what-is-security-lake.html)
[接收来自多个账户的 CloudTrail 日志](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-receive-logs-from-multiple-accounts.html)
[向日志归档账户发送日志](https://docs.aws.amazon.com/whitepapers/latest/organizing-your-aws-environment/security-ou-and-accounts.html#log-archive-account)
- **AWS Well-Architected 指南:** [SEC04-BP01 配置服务和应用程序日志](https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_detect_investigate_events_app_service_logging.html)
[SEC04-在标准化位置BP02 捕获日志、发现结果和指标](https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_detect_investigate_events_logs.html)