Multi-Factor Authentication – AWS MFA is a security measure that adds a layer of protection to your AWS account. You can use it in conjunction with or instead of the standard username and password login process for accessing certain services, such as Amazon S3 buckets. Once you enable AWS MFA, you will be prompted for both your username and password AND either a one-time code sent to your phone via SMS text message OR a sequence of numbers generated by the Google Authenticator app on your phone before being able to access these resources.
This two-factor authentication scheme is very good because it means that even if someone knows your username and password, they still cannot access any protected information from the website unless they have one more factor. That can be something like a code or a picture.
What is AWS MFA?
“Amazon Web Services Multi-Factor Authentication (AWS MFA) is a security feature that provides an additional level of security for your AWS account.”
So, what does this mean?
In layman’s terms, it means that when you log in to your AWS console, be it via the web or mobile apps, you have to enter a code in addition to your username and password. That code is generated on a device that you have registered with AWS MFA before, such as a smartphone or license generator token.
Why should I use it?
AWS MFA provides a way for you to add a layer of security to your account so that even if someone has your username and password, they can’t access your account without the MFA code. We all know that typing in our password incorrectly or not logging out of our account properly are very easy mistakes to make. If someone has access to your account for just a few minutes, they could wreak havoc on your AWS resources while you’re blissfully unaware until it’s too late.
Another reason you should use it is that it makes your AWS account more secure from phishing attacks. In a phishing attack, someone sends you an email that looks like it’s from Amazon, asking for your username and password. If you give them this information, they have access to your account just as if they had your username and password. With AWS MFA, you can rest assured that they won’t be able to get into your account even if they have the correct credentials.
What do I need to use it?
- You must have an AWS account to use AWS MFA. If you don’t already have one, sign up here.
- An IAM user with permission to access your account’s MFA settings. More on this in the next section.
- A smartphone or other device where you can generate the AWS MFA code, such as an RSA SecurID token or a DUO Security license generator token (in beta at the time of writing).
- A way to generate the code you need on that device, such as a QR scanner or an SMS. This article assumes that we will be using one of the devices in the list and the AWS MFA apps for generating codes (which seems like a popular option).
- Login to your AWS Management Console account.
- Open My Security Credentials under the dropdown menu.
Note: Before creating MFA you need to delete all Security Access keys for your account.
- Click on Assign MFA Device.
- Now, select the Virtual MFA device and click on Continue.
- Click on Show QR Code and scan the code using the Microsoft Authenticator app. (To scan this QR Code you need to install the Microsoft Authenticator application on your phone through App Store.)
In Microsoft Authenticator, you need to Add An Account and then click on another account (Google, Facebook, etc.). Now scan the given QR Code on the screen to generate MFA Codes.
- Add 2 consecutive MFA Codes and click on Assign MFA.
Congratulations! You have successfully assigned Virtual MFA to your account.
Security is always a hot topic, and with more of your business lives being stored in the cloud than ever before, it’s important to be proactive about protecting your company from potential breaches. Here are two simple steps you can take right now to secure your AWS account against common threats: Enable Multi-Factor Authentication on all accounts that require it; Make sure any admin passwords are strong enough (even if they aren’t required by default). These easy steps will help protect the data you store on Amazon’s highly reliable servers. You can learn more about these topics by checking out our Blogs or Courses page!