Open In App

How To Implement MFA For AWS Account

Last Updated : 30 Jan, 2024
Improve
Improve
Like Article
Like
Save
Share
Report

MFA stands for Multi-Factor Authentication. In AWS, it acts as a second layer of security to protect AWS accounts. Even if someone knows your password, they cannot access your account because they do not have your physical device. This is what it aims to achieve and it is a highly recommended security standard in organizations everywhere. Every account in AWS can have up to 8 security keys. In this article, we will understand how we can implement MFA in an AWS Account.

Setting Up MFA In AWS Account

There are several physical device options to choose from when setting up MFA for your AWS account. These are:

  • FIDO Security Keys (Hardware device that provides security codes by third-party companies like Yubico)
  • Virtual Authenticator Apps (Virtual Apps like Google/Microsoft Authenticators that can be downloaded for free from Google Play Store)
  • Hardware TOTP tokens (Tokens must be purchased from AWS, these are exclusively made for AWS)

In this article, we will look at how we can set up a MFA using Virtual Authenticator Apps.

Steps To Create MFA for Root and IAM Users – Virtual MFA Devices

Step 1: Login to the AWS Management console and in the navigation bar on the upper right corner, select the account for which you wish to add the MFA device. From the drop down shown below, choose the option security credentials. This will take you to IAM Global console where you can manage the overall security of your account.

IAM global console

Step 2: Scroll down to the MFA options listed. This allows you to add MFA devices.

Configuring MFA

Step 3: Download Authy from Twilio in your smartphone from Google Play Store/Apple App Store

Download any Virtual Authenticator App

Step 4: After downloading the application of your choice, head over to the MFA section in the IAM console. Click on the assign MFA device option.

Click on Assign MFA device option

Step 5: After you have clicked next on your Assign MFA Device option, you will be prompted to choose a name for your device. In this example I have considered the name as ‘my-smartphone’.

Choosing Device Name

Step 6: After typing in the name, when you scroll down you will see the following choices. Select ‘Authenticator App’ and click on next.

Choosing MFA Device

  • You will be taken to the next page where you will click on the “Show QR Code” button as shown below.

Revealing the QR Code

  • This reveals the QR code. Now, in you authenticator application, click on add a new device option. Scan the following QR Code. Type in the 6 – digit code you see on your mobile phone app in MFA code.
  • When your code refreshes after 60 seconds, a new code will appear. Type this in the the MFA code 2 field and click on Add MFA.

Scanning QR Code

  • If you have followed all the steps as stated, you will see that now when you navigate to you IAM dashboard, it displays that you have MFA enabled for your account.

Verification of MFA enablement

Setting Up MFA Using Hardware Devices

Setting up MFA using one of the hardware device options is similar to that of virtual authentication applications. It involves the following slight changes:

  • Get a hardware MFA Device: To enable MFA authentication using one of the hardware devices you must first arrange one of these devices.
  • FIDO Security Keys: FIDO certified security keys are can be ordered for free from AWS console for US based customers. Other users can buy keys like Yubico for themselves. Then the process of adding these to their accounts is:
    • Login to the AWS Management console and in the Navigation bar on the upper right corner, select your account for which you wish to add the security key
    • . From the drop down shown below, choose the option security credentials.
    • This will take you to IAM Global console where you can manage the overall security of your account.

    Security Credentials

    • Next, on the AWS iam console, scroll down to see your MFA devices listed. Click on the add Assign MFA Device option.

    Navigating to MFA

    • Select a suitable name for your device and choose the option Security Keys from the list as shown below. Then click on Next.

    MFA Device Name

    Enter a name

    Choose Security Key

    • Next, connect the device to your computer. And tap it. This successfully configures your security key for use with AWS. Next time you login into your AWS account, you will need to use your security keys.

    Adding FIDO keys

  • Hardware TOTP Tokens: To add these devices for MFA follow the following steps:
    • Login to the AWS Management console and in the Navigation bar on the upper right corner, select your account for which you wish to add the security key.
    • From the drop down shown below, choose the option security credentials.
    • This will take you to IAM Global console where you can manage the overall security of your account.

    Navigating to IAM console

    • Next, on the AWS IAM console, scroll down to see your MFA devices listed. Click on the add Assign MFA Device option.

    View MFA devices

    • Select a suitable name for your device and choose the option Security Keys from the list as shown below. Then click on Next.

    TOTP Device NameSelecting TOTP Device

    • After clicking on next you will be taken to a new page where you will have to enter the serial number of your hardware device that is located on it’s back.
    • Fill in this serial number on the designated field. Start the device. You will see a six digit MFA code. Enter it into the first field and wait for 30 seconds.
    • A new MFA code will appear. Enter it into the second field and click on Add MFA button.
    • This successfully adds the TOTP hardware device to the account. Please refer the screenshot below for your reference.

    Adding serial number and MFA codes

Managing MFA Devices In AWS

AWS makes it quite simple to manage your MFA Devices. Each account in AWS can have up to 8 MFA devices at any given time. All these options can be managed from the AWS IAM console under the Multi-Authentication Devices section.

  • Login to the AWS Management console and in the navigation bar on the upper right corner, select your account for which you wish to add the security key.

Navigating to IAM dashboard

  • From the drop down shown below, choose the option security credentials. This will take you to IAM Global console where you can manage the overall security of your account.

Managing MFA devices

The above console contains everything needed to work with MFA devices. It allows the addition, removal and resyncing of MFA Devices in AWS.

Best Practice Of MFA Security in AWS

  • Always add MFA devices for the root user and the IAM user.
  • The physical security of your hardware devices is your responsibility. If you add them to your account and loose them, you will not be able to access your account.
  • Consider adding multiple MFAs to secure your account. Incase you loose any one of your device, you will still be able to access your account and remove the device that you lost.
  • Keep your MFA devices a secret. Never share the details of the specifics of your credentials with anyone.
  • Always buy your MFA devices from authentic sources. Physical MFA devices that are plugged into your computer may have been tampered with.
  • If you are the root user, make it a mandatory for your iam users to add MFA to their accounts. This safeguards your organization from many data breach attempts or hacking attempts where an intruder gains access to resources that he should not.
  • Regularly resync your device to avoid running into any problems while you log in.

Troubleshooting Issues Of MFA Security In AWS

The issue that may arise with MFA devices is the asynchronous problem where your AWS account and your MFA device fall out of synch in time. This issue can be resolved from the AWS management console itself. To resync your MFA device, follow the following steps.

  • Navigate to the MFA option in the IAM console.

MFA in Iam console

  • Next, select the MFA device you want to resync and click on the Resync option.
  • This opens a new prompt that asks you to enter 2 MFA codes.
  • Enter 2 consecutive MFA devices that you see on your device and then click on Resync.
  • This successfully resolves all the issues with your MFA device.

oubleshooting the A - synchronicity

Disabling MFA For Root Users And IAM Users

To disable MFA devices, head over to the IAM console and under the MFA section, select the device you wish to remove. Then click on the Remove option.

Disabling MFA

  • You will be prompted to confirm your decision.
  • Click on Remove. This removes your devices and you can no longer use it to sign into you account.

Confirmation Box

Hence, in this article, first we saw a brief overview of MFA and why it is needed. Then, we looked at MFA options in AWS. Following which we added MFA to our account in AWS using a Virtual Authenticator Application downloaded from app marketplace. Now, your account has a second layer of security. We have implemented MFA for AWS Account.

Multi Factor Authentication (MFA) – FAQs

Can I Add Multiple MFA Devices To AWS Account?

Yes, AWS allows you to add up to 8 MFA devices of your choice to your account.

What Should I Do If I Get An Error While Trying To Log In Using My MFA Device?

This happens only when your device has fallen out of synchronicity. AWS allows you to resync your device at the time of login incase this happens. But regularly resync your device to avoid this issue.

What Should I Do If I Have Lost My MFA Device?

If you loose your MFA device, you will be locked out of your account unless you have set up multiple MFA devices. So safeguarding your MFA devices is your responsibility.

How To Change The Name Of My MFA Device?

Once you add an MFA device, AWS does not allow you to edit it. If you want to change anything like the device name, consider removing the device and adding it again with the desired changes.

What If I Don’t Wish To Add MFA To My Account?

If you choose to not add MFA to your account, then incase your username and password get stolen, your account can be easily taken over by the imposter. You can suffer big losses in terms of finance and reputation. MFA serves as a second layer of security. Its addition to AWS accounts cannot be stressed enough.



Similar Reads

Setup two-factor authentication (2FA/MFA) for Linux systems
Two-factor authentication, or multi-factor authentication, is a technique or method of security that requires users to provide two different authentication factors before granting access to an account or system. These factors typically include something the user knows (like a password or PIN) and something the user possesses (like a smartphone or h
4 min read
Configuring MFA Delete On S3 Buckets
The AWS Simple Storage Service (S3) is a cloud service provided by Amazon Web Services (AWS) to store your data securely. You can access this service through your IAM role or root user account. In this article, we'll see how to secure your S3 data in addition to the IAM policies through the MFA assignment. Furthermore, we'll cover how to set up MFA
6 min read
Amazon Web Services - Copy an Amazon Redshift Cluster to Different AWS Account
In this article, we will look into how to copy an Amazon Redshift cluster from one account to a different account. Usually, users perform this operation from a production account to a quality account but you can use the steps to move a cluster from one account to another account in the same region. To do so follow the below steps: Step 1: In the ac
3 min read
Amazon Web Services - Setting Up an AWS Account
Amazon web services is a cloud service platform that provides on-demand computational services, databases, storage space, and many more services. AWS allows its user to choose products from its wide variety of services and use them on-demand with no upfront payment for most of the services. Individually an AWS service may lack some functionality bu
4 min read
Amazon Web Services (AWS) - Free Tier Account Set up
Amazon Web Service(AWS) is the world’s most comprehensive and broadly adopted cloud platform, offering over 200 fully featured services from data centers globally. Millions of customers including the fastest-growing startups, largest enterprises, and leading government agencies are using AWS to lower costs, become more agile, and innovate faster. A
4 min read
How To Close An (Amazon Web Service) AWS Account?
Amazon Web Services, known as AWS, is a leading provider of on-demand cloud computing solutions. With a vast array of services available, AWS caters to the needs of individuals, businesses, and even government entities. From computing power to storage options, networking to security features, AWS offers a comprehensive suite of services to meet you
4 min read
Difference between AWS Cloudwatch and AWS Cloudtrail
1. AWS Cloudwatch: It is a monitoring tool used for real-time monitoring of AWS resources and applications. It provides a report on the basis of monitoring which can be used to analyze the performance of the system. CloudWatch also detect irregular behavior in your environments. It also sets the alarm. It monitors various AWS resources like Amazon
2 min read
AWS Educate and AWS Emerging Talent Community
If you want to make your career in cloud computing but don’t know how to get started, you must register for AWS Educate. AWS Educate helps in learning cloud skills in more superficial ways that too at your own pace. For that, you only require an email address, not an Amazon account or any credit card. [caption width="800"] [/caption] Cloud learners
2 min read
AWS DynamoDB - Insert Data Using AWS Lambda
In this article, we will look into the process of inserting data into a DynamoDB table using AWS Lambda. Amazon DynamoDB is a completely owned NoSQL proprietary provider that helps key-value and textual statistics systems and is supplied via way of means of Amazon.com as a part of Amazon Web Services. AWS Lambda is an event-driven, serverless compu
3 min read
How To Use AWS EC2, EBS, and S3 Services Using AWS CLI?
Pre-requisite: EC2, EBS and S3 The AWS Command Line Interface (AWS CLI) is an open-source tool that enables you to interact with AWS services using commands in your command-line shell. With minimal configuration, the AWS CLI provides you with the ability to quickly and easily access the same functionality as the browser-based AWS Management Console
6 min read