This article will discuss the Multi-Factor Authentication (MFA) in AWS Identity and Access Management(IAM) .

The times when only a username and a password are needed to protect your email account or any other type of access to different resources are gone. Even if you are using a strong password, it’s just a matter of time until someone will break it. In the recent history, there have been several occasions when unauthorized people stole millions of usernames and passwords from different companies.

VMware Training – Resources (Intense)

Obviously it’s not enough having your accounts being protected only by passwords. Amazon is taking one step further and provides MFA.

MFA provides an additional layer of security for the AWS root account or for any other IAM user. Once MFA is configured, whenever a user will login to AWS, he/she will have to enter a unique code from the authentication device.

To configure MFA, you must link a MFA device (it can be hardware or virtual) to the root account or IAM user. The MFA device must be unique per user (regardless of its root account or IAM user).

There are three major steps in setting up and using the MFA device:

  • Procure the MFA device – the device can be hardware or virtual. Virtual means that the device can be any device on which you can install a time-based one time password application. A virtual device is commonly a smartphone. Amazon maintains a list with the applications that can be installed on virtual devices based on the OS (Android, iOS, Windows). The hardware device is a Gemalto brand that is supported by AWS.
  • Enable the MFA device – link the MFA device with your account.
  • Use the MFA device – each time you access AWS, you will be asked for a username, password and a MFA code

In this article we will set up MFA for an IAM user. A user, user_01, has been created as you can see below:

Below on the same page, you can check if MFA is enabled for this user. In this case, it isn’t.

Let’s start the process to enable MFA for this user.

From the users list, select the user for which you want to enable MFA. Then open “Security Credentials” section and click on “Manage MFA Device”. On the pop-up window, select “A virtual MFA device” and click on “Next Step”:

You will be reminded that you need to install the application to a smartphone or PC. If you already did it, just click on “Next Step”:

Once you do that, you will be shown a QR code that you need to scan using the virtual device. If the virtual device does not support scanning, you can copy and paste the secret configuration key to the application. The application will generate random authentication codes. You will need to fill in two consecutive codes and then click on “Next Step”:

If everything was in order, the next window will tell you that the MFA device was successfully associated with the IAM user:

You might remember from the article Amazon Web Services: Understanding IAM – Users, Groups and Sign-in Credentials (http://resources.intenseschool.com/amazon-aws-understanding-iam-users-groups-and-sign-in-credentials/) that when a user wants to login to AWS, he/she has to use the following link: https://<ACCOUNT_NUMBER>.signin.aws.amazon.com/console.

So let’s try to login with this user, but without using the MFA code. You will see that although the username/password combination is fine, you will be informed that the credentials are not correct:

Now let’s try one more time using MFA code as well:

As you can see, the authentication was successful:

It’s possible that sometimes the MFA device gets out of synchronization. If this happens then that user will not be able to login anymore in AWS. That user will be prompted to resynchronize the MFA device using the same procedure (the user will have to insert two consecutive codes). However, the synchronization can be done through the AWS Management Console. On an IAM console, select “Users” and then select the user for which you want to do the synchronization. Open the “Security Credentials” section and click on “Manage MFA device”:

Then you will be asked for two consecutive codes.

To deactivate the MFA for a user, follow the same steps as when you are synchronizing the MFA device, but now select “Deactivate MFA device” and click on “Next Step”. The device will be deactivated without any further actions.

MFA can be activated for the root account as well. Open the IAM console and on the dashboard, you will see “Activate MFA on your root account”. Click on “Manage MFA” and repeat the same procedure as you would activate MFA for a regular user:

So what happens if your virtual/hardware device stops working or it’s lost or stolen?

If that happens and you were using MFA for a regular user, then you need to contact the person who provided you the username and password for the account. He/she will have to deactivate the MFA device.

On the other hand, if that was the MFA device used for the root account, then you need to contact AWS Support and ask to disable temporary MFA so that you could access the AWS resource using only the username/password combination. Once you have a new hardware or virtual device, you can enable back MFA.

It’s recommended that you enable MFA not only for AWS access, but wherever it’s possible. It’s providing increased security. Passwords can be stolen at any time; someone might see what you are typing and so on. If you add MFA level of protection, the odds that someone gains unauthorized access to your AWS account are very low.

Activating MFA is simple and effective.

Reference

  1. Using Multi-Factor Authentication (MFA) Devices with AWS(link to http://docs.aws.amazon.com/IAM/latest/UserGuide/Using_ManagingMFA.html)