Leadline Inc.Leadline Inc.
Control Requirements

LS-26: Multi-Factor Authentication or VPN for Remote Access

Multi-factor authentication for administrative activities or VPN for remote access

Control Description

"Multi-factored authentication is enabled to access all administrative activities within the in-scope production environment related to the in-scope applications and related databases.

OR

Remote access to the network and to the production environment related to the in-scope applications and related databases is restricted to appropriate users via VPN."

Plain Meaning

This control provides two options for securing administrative and remote access. Option 1 requires multi-factor authentication for all administrative activities, while Option 2 requires VPN access for remote connections to the production environment.

Implementation: Multi-Factor Authentication and VPC Access Control

AWS Multi-Factor Authentication (MFA)

We implement mandatory multi-factor authentication (MFA) for all AWS administrative access, ensuring secure authentication for all administrative activities within our production environment.

MFA Requirements

  • AWS Console Access: 2FA required for all AWS Management Console access
  • Administrative Activities: MFA mandatory for all administrative functions
  • Root Account Protection: MFA enabled for root account access
  • IAM User MFA: All IAM users must have MFA devices configured

MFA Implementation

  • Virtual MFA Devices: AWS Virtual MFA application for mobile devices

Grafana Dashboard Access Control

VPC-Only Access

  • No Public Access: Grafana dashboards have no public internet access
  • VPC Connection Required: All access must be through VPC connections
  • Private Subnet Placement: Grafana instances deployed in private subnets
  • Security Group Restrictions: Strict security groups limit access to authorized IPs

Access Methods

  • VPN Connection: Remote users must connect via VPN to access Grafana
  • Bastion Host: Secure jump host for administrative access when needed
  • VPC Peering: Internal network access through VPC peering connections

Remote Access Security

VPN Requirements

  • Mandatory VPN: All remote access requires VPN connection
  • VPN Authentication: VPN access requires valid credentials and MFA
  • Network Segmentation: VPN users access only authorized network segments
  • Session Management: VPN sessions have time limits and automatic logout

Access Control

  • User Authentication: Valid username and password required
  • Multi-Factor Authentication: 2FA required for VPN access
  • Authorization: Access granted based on job function and need
  • Audit Logging: Complete logs of all VPN access attempts

Security Monitoring

Access Monitoring

  • MFA Usage Tracking: Monitor MFA device usage and authentication
  • VPN Access Logs: Track all VPN connection attempts and sessions
  • Grafana Access Logs: Monitor dashboard access and usage patterns
  • Failed Authentication Alerts: Immediate alerts for failed access attempts

Compliance Requirements

  • Access Reviews: Regular review of MFA and VPN access permissions
  • Audit Trails: Complete audit trails for all administrative access
  • Security Assessments: Regular security assessments of access controls
  • Incident Response: Procedures for access-related security incidents
  • LS-05: Direct database access restrictions
  • LS-14: Administrative access restrictions
  • LS-16: Encrypted data transmission

LS-25: Valid User IDs and Passwords Required

Require valid user IDs and passwords for network, applications, and database access

TPM-01: Third-Party Communication Protocols

Defined communication protocols for third-party incident response with contact information