Multi-Factor Authentication (MFA)
Hello Everyone
Welcome to CloudAffaire and this is Debjeet.
In the last blog post, we have discussed IAM Roles.
https://cloudaffaire.com/iam-roles/
In this blog post, we are going to discuss Multi-Factor Authentication (MFA) in AWS. We will also enable MFA to our root account using Virtual MFA device (mobile app).
Multi-Factor Authentication (MFA):
AWS Multi-Factor Authentication (MFA) is a simple best practice that adds an extra layer of protection on top of your user name and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password (the first factor—what they know), as well as for an authentication response from their AWS MFA device (the second factor—what they have). Taken together, these multiple factors provide increased security for your AWS account settings and resources. You can enable MFA for your AWS account and for individual IAM users you have created under your account. MFA can be also be used to control access to AWS service APIs.
MFA types:
- Virtual MFA devices: A software app that runs on a phone or other mobile device and emulates a physical device. The device generates a six-digit numeric code based upon a time-synchronized one-time password algorithm. The user must type a valid code from the device on a second webpage during sign-in. Each virtual MFA device assigned to a user must be unique. A user cannot type a code from another user’s virtual MFA device to authenticate.
- U2F security key: A device that you plug into a USB port on your computer. U2F is an open authentication standard hosted by the FIDO Alliance. When you enable a U2F security key, you sign in by entering your credentials and then tapping the device instead of manually entering a code.
- Hardware MFA device: A hardware device that generates a six-digit numeric code based upon a time-synchronized one-time password algorithm. The user must type a valid code from the device on a second webpage during sign-in. Each MFA device assigned to a user must be unique. A user cannot type a code from another user’s device to be authenticated.
- SMS text message-based MFA: A type of MFA in which the IAM user settings include the phone number of the user’s SMS-compatible mobile device. When the user signs in, AWS sends a six-digit numeric code by SMS text message to the user’s mobile device. The user is required to type that code on a second webpage during sign-in.
Note that SMS-based MFA is available only for IAM users. You cannot use this type of MFA with the AWS account root user.
Next, we are going to create a role for EC2 instance to
Step 1: Login to AWS console and navigate to IAM.
Step 2: Click ‘Manage MFA’ located under ‘Dashboard’.
Step 3: Click ‘Activate MFA’ located under ‘Multi-factor authentication (MFA)’.
Step 4: Select ‘Virtual MFA device’ and click ‘Continue’.
Step 5: Download and install Google Authenticator in your mobile.
Step 6: Open the app and click ‘Scan a barcode’
Step 7: Scan the barcode in your browser AWS console page that appeared after step 4 and from your mobile enter two consecutive MFA code. Click ‘Assign MFA’.
You will receive an success message.
MFA successfully activated for our root account.
If you log off and log in again to the AWS console using your root account, you will need to enter your MFA code from your mobile apart from your root credential to log in.
Hope you have enjoyed this article. In the next blog post, we will complete securing our root account.
To get more details on IAM, please refer below AWS documentation
https://docs.aws.amazon.com/iam/index.html
To get more details on MFA supported devices, please refer below link.
https://aws.amazon.com/iam/details/mfa/
Another option is to use reprogrammable hardware tokens. These can be used as direct replacements for google authenticator and once programmed offer a more self-contained and durable solution that something based on a mobile device.