As you know storing sensitive information in thecloud is vulnerable to hackers and viruses, and to overcome this your account needs to be secured. For increased security, AWS recommends that you configure AWS Multi-Factor Authentication (MFA) to help protect your AWS resources.
In brief,MFA = Password you know + Security Device you own
In this blog, we will discuss;
- Overview Of AWS MFA
- Why AWS MFA is required
- MFA Device Options in AWS
- Enabling MFA on Root Account
- Accessing AWS Console using MFA
- What if the MFA device does not work
Overview of AWS MFA
AWS Multi-Factor Authentication (MFA) is a simple best practice that adds an extra layer of protection on top of your username and password. With MFA enabled, when a user signs in to an AWS Management Console, they will be prompted for their user name and password (the first factor is what they know), as well as for an authentication code from their AWS MFA device (the second factor is what they have). Taken together, these multiple factors provide increased security for your AWS account settings and resources.
Learn With Us: Join ourAWS Solution Architect Trainingand understandAWSbasics in an easy way.
Why AWS MFA is Required
- Users have access to your account and can possibly change configurations and delete resources in your AWS account, so to overcome this it is required
- If you want to protect your root accounts and IAM users.
- Even if the password is stolen or hacked, the account is not compromised.
- When you enable this authentication for the root user, it affects only the root user credentials. IAM users in the account are distinct identities with their own credentials, and each identity has its own MFA configuration.
Check Out :Roles and Responsibilities Of An AWS Certified Solutions Architect.
MFA Device Options In AWS
The following are the MFA device options in AWS:
- Virtual MFA Device: Support for multiple tokens on a single device e.g Google Authenticator (Phone Only) Authy (Multi-Device)
- Universal 2nd Factor (U2F) Security Key: Supports multiple root and IAM users using a single security key. e.g Yubikeyby Yubico (Third Party)
- Hardware Key Fob MFA Device: Provided by Gemalto (Third Party)
- Hardware Key Fob MFA Device AWS GovCloud (US): Provided by SurePassID (Third Party)
Check also: Free AWS Training
Enabling MFA On Root Account
1) Log in to your AWS account by clicking here
Note: If you have not created the free tier account yet, please check this blog. How to create a free tier account
2) On the right side of the navigation bar, choose your account name, and choose Security Credentials from the dropdown.
3) Click on Assign MFA.
4) Provide MFA device name and then Select the MFA device as the Authenticator app.Click on Next.
5) Now Install Google Authenticator on your phone.
Android: Click here
IOS: Click here
6) Now open the Google Authenticator App Click on Get Started and Scan the QR code.
8) Now Click on Show QR Code in AWS Consoleand open the Google Authenticator app on your phone. Scan the code in phone and then Enter the code from your Phone into MFA code 1 and MFA code 2.
Then Click on the Add MFA button.
Note: Take a screenshot of the code so that in the future if you lose your phone you can use it to re-enable MFA
11) Now you will see that the device has been added for MFA
12) Now you have successfully Activated MFA on your root account setting
Accessing AWS Console Using MFA
1) Open your AWS console login page and click on Root User then enter your email ID and Click onNext.
2) Enter your Password corresponding to the Email address.
3) Use your Google Authenticator Application on mobile and enter the MFA code in the AWS Console.
So this was an overview of AWS MFA and how you can enable it.
What if the MFA device does not work?
If yourvirtual MFA deviceorhardware MFA device appears to be functioning properly, but you cannot use it to access your AWS resources, it might be out of synchronization with AWS. For information about synchronizing a virtual MFA device or hardware MFA device, resynchronize your virtual and hardware MFA devices.
If your AWS account root usermulti-factor authentication (MFA) deviceis lost, damaged, or not working, you can recover access to your account. IAM users must contact an administrator to deactivate the device.
Related/Reference
- Creating AWS Elastic Compute Cloud EC2 Instance
- AWS Management Console Walkthrough
- AWS Certified DevOps Engineer Professional DOP-C01
- AWS VPC and Subnets – A Comprehensive Guide
Next Task For You
Begin your journey towards an AWS Cloud by joining ourFREEInformative Class onAmazon Cloud Free Classby clicking on the below image.