Security for AWS console is the prime concern for Cloud administrator. Every user including AWS Root Account should be enabled with Multi-Factor Authentication (MFA) for secure AWS console login. The MFA feature adds an additional layer of security while login to AWS console. You can enable MFA for AWS IAM or root user using either a hardware-based MFA device or a virtual MFA application. There are various virtual MFA applications are available to use. The following virtual MFA applications are available for mobile devices:
- Android: Google Authenticator; Authy 2-Factor Authentication
- iPhone: Google Authenticator; Authy 2-Factor Authentication
- Windows Phone: Authenticator+
- Blackberry: Google Authenticator
Recommended articles: Recover EC2 Linux Instance if the private key is lost.
You can also use the hardware-based MFA device, however, you may need to pay something to purchase it. This article
is focused on virtual MFA application.
Before proceeding to the next, process, make sure you have installed the appropriate virtual MFA application for your mobile device.
Enabling Multi-factor Authentication for AWS User
To enable MFA for AWS IAM user, you need to perform the following steps:
- Login to the AWS Management Console with admin privileges.
- Search and open the IAM users dashboard.
- In the left pane, click Users and select an IAM user for which you want to enable MFA.
- In the IAM user Summary page, select the Security Credentials tab and then click Assign MFA device edit button as shown in the following figure.
- On the Manage MFA Device window, select the type of MFA device to activate. For this exercise, we will select A virtual MFA device option as shown in the following figure.
- Click Next Step to proceed. On the warning message box, read the instruction and click the Next Step button to proceed.
- On the next page, you will see a scan code that you need to scan using the Virtual MFA Application such as Google Authenticator.
- Once the code is scanned, the virtual MFA device (in our case Android mobile) should be able to detect the AWS user account.
- On the Scan Code page of AWS console, you also need to type two consecutive codes displayed on the Google Authenticator application.
- Now click Activate MFA Device button to proceed as shown in the following figure.
Note: The authentication code changes after every few seconds so be careful while typing correct authentication code.
- Once the process is completed “The MFA device was successfully associated.” message will be displayed. Click Finish to complete the wizard.
- Now, whenever the IAM user will try to login to AWS console, he will need the dynamic security code along with username and password.
That’s all you need to do to enable MFA for AWS IAM user. The same process can be followed to enable MFA for AWS root account. However, you must be logged in with root account to do so.
Hope, you have loved this article. in the next article, we will discuss what to do if the associated MFA device is lost. You should know this especially in case of AWS root account. Because IAM user cannot manage MFA for AWS root account.