reference deployment

Cisco Duo MFA on AWS

Deploy Duo MFA using the AWS Fargate serverless compute engine

Signing in to the AWS Management Console traditionally requires a user name and password. To help mitigate the threat of leaked credentials, AWS offers the ability to enable multi-factor authentication (MFA) for your AWS Identity and Access Management (IAM) users or your AWS account root users.

This Quick Start automatically deploys Duo MFA on the Amazon Web Services (AWS) Cloud. It's for those who want to use AWS Directory Service directory types and apply Duo MFA. Directory Service directory types include AWS Directory Service for Microsoft Active Directory (AWS Managed Microsoft AD) and Active Directory Connector (AD Connector).

With this Quick Start, you deploy Duo using the AWS Fargate serverless compute engine for containers. You can build an environment that's ready for compliance with Cybersecurity Maturity Model Certification (CMMC). Since CMMC certification is typically required of U.S. Department of Defense contractors, this Quick Start supports Duo Federal Edition.

Deploying this Quick Start does not guarantee an organization’s compliance with any laws, certifications, policies, or other regulations.

duo logo

This Quick Start was developed by Duo Security in collaboration with AWS. Duo Security is a wholly owned subsidiary of Cisco. Cisco is an AWS Partner.

AWS Service Catalog administrators can add this architecture to their own catalog.  

  •  What you'll build
  • This Quick Start sets up the following:

    • A highly available architecture that spans two Availability Zones.*
    • A virtual private cloud (VPC) configured with public and private subnets, according to AWS best practices, to provide you with your own virtual network on AWS.*
      • In the public subnets, managed network address translation (NAT) gateways to allow outbound internet access for resources in the private subnets.*
      • A serverless managed AWS Fargate cluster with containers for Duo Authentication Proxy. The cluster is replaced whenever a new image is deployed or whenever the secrets are updated.
    • A continuous integration and continuous delivery (CI/CD) pipeline for image deployment:
      • AWS CodePipeline to retrieve the latest code from AWS CodeCommit in response to an Amazon CloudWatch event once a week by default.
      • AWS CodeBuild, which CodePipeline uses to build a new container image. CodePipeline then uploads the new container image to Amazon Elastic Container Registry (Amazon ECR).
    • Image discovery:
      • Amazon ECR, which stores each new container image.
      • Amazon Elastic Container Service (Amazon ECS), which discovers the images and pushes them to Fargate.
    • CloudWatch CPU and memory alarms that invoke Amazon Simple Notification Service (Amazon SNS) notifications to Duo administrators.
    • An AWS Key Management Service (AWS KMS) key that encrypts all Duo Authentication Proxy–related resources.
    • Secrets and events management, which works as follows (a two- to three-minute process):
      • AWS Secrets Manager rotates the secrets that are used for the cluster.
      • With each rotation, an AWS Lambda function replaces the Fargate containers, deploying the newest image.
      • After the Fargate containers stabilize, a CloudWatch event initiates a second Lambda function to update the Duo MFA settings in AWS Systems Manager Parameter Store.
      • Finally, a CloudWatch event initiates a third Lambda function. This function either updates AWS Directory Service or, if the update fails, sends Duo administrators an SNS notification.

    *  The template that deploys the Quick Start into an existing VPC skips the components marked by asterisks and prompts you for your existing VPC configuration.

  •  How to deploy
  • To deploy Duo MFA on AWS, follow the instructions in the deployment guide. The deployment process takes about 45 minutes and includes these steps:

    1. Sign up for a license at
    2. Sign in to your AWS account. If you don't have an account, sign up at
    3. Launch the Quick Start. Before you create the stack, choose the AWS Region from the top toolbar. You can choose from two options:
    4. Verify your deployment.
    5. (Optional) Modify your implementation.

    Amazon may share user-deployment information with the AWS Partner that collaborated with AWS on this solution.  

  •  Cost and licenses
  • You are responsible for the cost of the AWS services and any third-party licenses used while running this Quick Start reference deployment. There is no additional cost for using the Quick Start.

    This Quick Start requires a license for Duo MFA. You must set up at least one Duo user whose email address is associated with at least one user in Microsoft Active Directory. For more information, refer to Duo Editions & Pricing.

    The AWS CloudFormation templates for Quick Starts include configuration parameters that you can customize. Some of the settings, such as the instance type, affect the cost of deployment. For cost estimates, refer to the pricing pages for each AWS service you use. Prices are subject to change.

    Tip: After you deploy the Quick Start, create AWS Cost and Usage Reports to track costs associated with the Quick Start. These reports deliver billing metrics to an Amazon Simple Storage Service (Amazon S3) bucket in your account. They provide cost estimates based on usage throughout each month and aggregate the data at the end of the month. For more information about the report, refer to  What are AWS Cost and Usage Reports?