reference deployment

Duo MFA on AWS

Mitigate security threats with multi-factor authentication for AWS Directory Service directory types

This Quick Start automatically deploys Duo multi-factor authentication (MFA) for AWS Directory Service on the Amazon Web Services (AWS) Cloud in about 10 minutes. The Quick Start uses the Duo Authentication Proxy for AWS Directory Service to gain MFA functionality.

This Quick Start is for those who currently use or intend to use AWS Directory Service directory types such as AWS Directory Service for Microsoft Active Directory (also known as AWS Managed Microsoft AD) or Active Directory Connector (AD Connector), and who want to apply MFA in a highly available, secure implementation.

Duo MFA mitigates the threat of compromised credentials caused by phishing, malware, and other security threats, reducing risk while meeting compliance requirements for access security.

If you use a federation mechanism like AWS Single Sign-On (AWS SSO) or Active Directory Federation Services (AD FS) with a Directory Service option, you configure your own MFA. Using Duo MFA, you log in to the AWS Management Console, and then use Duo authentication methods including Duo Push through Duo Mobile, and your Active Directory credentials to authenticate to AWS.

duo logo

This Quick Start was developed by Duo Security in collaboration with AWS. Duo Security is an
APN Partner.

  •  What you'll build
  •  How to deploy
  •  Cost and licenses
  •  What you'll build
  • Use this Quick Start to set up the following:

    • A set of Amazon Elastic Compute Cloud (Amazon EC2) instances that are configured with the Duo Authentication Proxy.
    • An AWS Systems Manager document that is used by AWS Systems Manager State Manager to configure the EC2 instances with the Duo authproxy service.
    • A Remote Authentication Dial-In User Service (RADIUS) shared secret created by AWS Secrets Manager.
    • An AWS Lambda function used by Secrets Manager to automatically rotate the RADIUS shared secret on a weekly basis.
    • An Amazon Simple Notification Service (Amazon SNS) topic invoked when a new RADIUS EC2 instance is created.
    • A Lambda function that subscribes to the SNS topic that configures AWS Directory Service to use RADIUS servers.
    • An Amazon Simple Storage Service (Amazon S3) bucket that stores the Systems Manager State Manager executions.
    • An Amazon CloudWatch log group that stores Authentication Proxy logs from the RADIUS servers.  
  •  How to deploy
  • To deploy Duo MFA for AWS Directory Service on AWS, follow the instructions in the deployment guide. The deployment process includes these steps:

    1. If you don't already have an AWS account, sign up at, and sign in to your account.
    2. Sign up for a license at
    3. Launch the Quick Start. The deployment takes about 10 minutes.
    4. Validate the deployment.
    5. Create a service delegation role. Before you can federate using your directory, you must create a role that your directory service can use that you can federate into.
  •  Cost and licenses
  • You are responsible for the cost of the AWS services used while running this Quick Start reference deployment. There is no additional cost for using the Quick Start.

    The AWS CloudFormation template for this Quick Start includes configuration parameters that you can customize. Some of these parameters, such as instance type, will affect the cost of deployment. For cost estimates, see the pricing pages for each AWS service you will be using. Prices are subject to change.

    Tip     After you deploy the Quick Start, we recommend that you enable the AWS Cost and Usage Report to track costs associated with the Quick Start. This report delivers billing metrics to an Amazon Simple Storage Service (Amazon S3) bucket in your account. It provides cost estimates based on usage throughout each month, and finalizes the data at the end of the month. For more information about the report, see the AWS documentation.

    This Quick Start requires a license for Duo MFA. Learn more about the Duo license, and sign up for a license at You must set up at least one Duo user whose email address is associated with at least one user in Active Directory.