SQL Server administration and T-SQL development, Web Programming with ASP.NET, HTML5 and Javascript, Windows Phone 8 app development, SAP Smartforms and ABAP Programming, Windows 7, Visual Studio and MS Office software
Development resources, articles, tutorials, code samples, tools and downloads for AWS Amazon Web Services, Redshift, AWS Lambda Functions, S3 Buckets, VPC, EC2, IAM

How to Enable MFA Multi-Factor Authentication on AWS


For Amazon Web Services AWS cloud users, it is best practice to enable MFA Multi-Factor Authentication on AWS and use as user credentials. In this Amazon Cloud Computing best practices guide, I want to share the steps to enable MFA on AWS (Amazon Web Services) for cloud users (Amazon Cloud Computing Services). As an internet user you might have heard of 2FA aka two-factor authentication same as multi-factor authentication.


Activate Multi-Factor Authentication MFA for AWS Root Account

Launch AWS Amazon Web Services portal
Sign in to the Console

AWS Amazon Web Services

Use your AWS root user.
Please note that this process enabling MFA should be the first task after you create your AWS account.
Then using your root account create an other AWS user to manage your daily tasks.
Using a different user than your root AWS account will protect your credit or debit card by unauthorized users in case of a security problem.

Amazon Web Services AWS Console

When you are in AWS Console, on the top right corner, you will see your user name which displays following menu. Select menu option "My Security Credentials" for enabling Multi-Factor Authentication and registering a MFA device.

AWS Security Credentials

When a popup message displayed for creating an IAM User, please dismiss this best practice for enabling MFA on AWS task and choose "Continue to Security Credentials" option.

AWS IAM Identity and Access Management user

Using "Your Security Credentials" page, Amazon Web Services users can manage their credentials for their AWS account. To manage credentials for AWS Identity and Access Management (IAM) users, IAM Console should be used. Root account security credentials can be managed via this screen.

There are different ways to define and use security credentials, here is the list on AWS Your Security Credentials page

Password
Multi-factor authentication (MFA)
Access keys (access key ID and secret access key)
CloudFront key pairs
X.509 certificate
Account identifiers

security credential for AWS user

Be default, as seen in above screenshot the MFA Multi-Factor Authentication is not enabled.
You can use MFA for increasing the strength of your AWS security while logging into AWS portal.
AWS users can activate MFA as illustrated in following steps.
After MFA is activated, AWS users should provide an additional authentication code provided by the registered MFA device besides their account user name and password.

Click on Activate MFA

If you plan to use your smartphone as a MFA device, you can choose Virtual MFA device option when you are reguested the type of your MFA device to activate

manage MFA device for AWS user security credentials

Click Next Step to continue

Now you need a MFA compatible app installed on your mobile phone.
The apps valid for MFA is listed on AWS MFA details page.

Google Authenticator, Authy 2-Factor Authentication apps can be used on iPhone and Android devices. If you have Windows Phone smartphone use Authenticator as the Virtual MFA application

For the most recent app list, please visit Multi-Factor Authentication. Please read following note from AWS for more details

To activate a virtual MFA device, you must first install an AWS MFA-compatible application on the user's smartphone, PC, or other device. You can find a list of AWS MFA-compatible applications here. After the application is installed, click Next Step to configure the virtual MFA.

I will use virtual MFA on my iPhone device. I preferred to download and install Google Authenticator

Google Authenticator as virtual MFA device application

After I click Next Step button, following Manage MFA device screen is displayed.
There is QR code to scan with the MFA app and two authentication code entry fields which will be provided by the MFA app and I will enter manually.

QR code to scan for AWS MFA application

Let's scan the QR code using the MFA application Google Authenticator.

After scan is completed, enter the 6-digit numbers created one after another.
Please note that for the second 6-digit number, you have to wait a few seconds.
Then click on Activate Virtual MFA

If you are successfull you will be informed via message "The MFA device was successfully associated with your account."

Then under Multi-Factor Authentication (MFA) you will see your device listed.

Since your payment methods are reacheable via your AWS Root account, the second step after you have created your account on Amazon Web Services is to create an IAM user (AWS Identity and Access Management user)


Enable MFA Multi-Factor Authentication for AWS IAM User

If your user account is not the root accout but an IAM user account (AWS Identity and Access user), it is also possible to activate MFA and enable a virtual MFA device for authentication to strength your user authentication security.

Log in to AWS Console. Then you can see your user type from the menu displayed on your user name at the top-right of the console.

AWS Identity and Access IAM user

Click on My Security Credentials
Click Users
Click on your user account to display details.
Switch to Security Credentials tab

security credentials for AWS IAM user and assigned MFA device

In Sign-in credentials section Assigned MFA device is seen as "No"

Click on the Edit icon next to "No" for Assigned MFA device information

This will popup the selection screen for virtual MFA device as we have seen in first part of this tutorial.
Choose "A virtual MFA device" option.
Then install the AWS MFA-compatible application for example Google Authenticator on your mobile device.
Scan the QR-code displayed on the next step and provide two authentication codes that will be shown on your virtual MFA application on your mobile device to complete the MFA device registration.



AWS


Copyright © 2004 - 2024 Eralper YILMAZ. All rights reserved.