Configuring Multi-Factor Authentication (MFA)

In addition to a password that is required for users to authenticate to AWS, it is recommended to implement MFA to add a second layer of authentication. This is best practice for your AWS root account and any other user accounts that have elevated privileges.

By using MFA, you are required to enter a randomly generated 6-digit number once you have entered your password when using the Management Console. This 6-digit number changes very frequently, making it difficult to compromise. It is very easy to set up MFA for a user so let me run through it:

  1. From within the IAM dashboard of the AWS Management Console, select Users and then the user requiring MFA.
  2. Click on the Security Credential tab and you will notice under Sign-in Credentials that it states Not assigned for your MFA device:
  1. Click on Manage. Here, you can then select your chosen device for using MFA. I will use Google Authenticator, which is a simple app I have on my phone. So, in this example, we have selected Virtual MFA device. Once done, click Continue:
  1. Using the Google Authenticator app, we scan the QR code and enter the first 6 digits that appear within the app for our user and add those digits into the entry of MFA code 1. We must then wait for the numbers to change and add those consecutive digits into the MFA code 2 field:
  1. At this point, we will get a message stating that we have successfully assigned a virtual MFA device for that user:
  1. The following screenshot shows how the screen appears when logging in as the user once the username and password have been entered:

MFA can also be used in other areas of AWS, for example, policies. You can configure your policies to only allow a user to perform an action if they have done so via MFA within the conditional parameters. The following example policy shows a trust policy relating to a role that checks to make sure that the user Stuart has authenticated via MFA. If Stuart did not use MFA, then access is not permitted:

{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Principal": {"AWS": "arn:aws:iam::356903128354:user/Stuart"},
"Action": "sts:AssumeRole",
"Condition": {"Bool": {"aws:MultiFactorAuthPresent": "true"}}
}
}

As you can see, MFA is very easy to configure and set up and provides a great way of strengthening authentication to your AWS account and resources. MFA provides a great way of enhancing the security posture within your access control policies.