AWS multifactor authentication (MFA) adds an extra layer of security for your AWS users. MFA verifies your identity through something you know (user ID and password) and something you have with you (hardware device or software token). In addition to the user name and password, the user will need to enter a one-time authentication code while logging into the AWS console. As a best practice always configure multifactor authentication for the root account and other highly privileged IAM users. MFA is also used to control access to a specific resource and to AWS service API calls.
Using conditions in the policy, you can specifically allow a user access to a set of services only if the user was authenticated using the MFA code. For example, you can specify a condition that a user is allowed to create or terminate EC2 instances in the production environment only if they are authenticated using MFA.
There are two types of MFA—virtual and hardware. The virtual MFA device uses an application to generate an authentication code that is compatible with time-based one-time password (TOPT) standard. There are several different virtual MFA apps that you can use however note that AWS requires the virtual MFA app to generate a six-digit code. Virtual MFA is free to use, and you will need to either download the official MFA app or use Google Authenticator from your smartphone to implement MFA.
In case you want to implement hardware-based MFA, then you will need to purchase the hardware MFA device from third-party vendors such as Gemalto.
In this recipe, we configure a virtual MFA device (Google Authenticator) with AWS IAM.
- Create a virtual MFA device.
Execute the following command to create a virtual MFA device for the
ethanhuntuser. Record the serial number for further use.$ aws iam create-virtual-mfa-device --virtual-mfa-device-name ethanhuntmfadevice --outfile F:\ethanhuntmfadevice.txt --bootstrap-method Base32StringSeed
- Enable the virtual MFA device.
Execute the following command to enable the MFA device. The user-name parameter specifies
ethanhunt, the user for whom you want to enable the MFA device.$ aws iam enable-mfa-device --user-name ethanhunt --serial-number arn:aws:iam::968336292411:mfa/ ethanhuntmfadevice --authentication-code-1 244672 --authentication-code-2 705514
First, we create the virtual MFA device. In the command, we specify the name of the virtual MFA device, output file path where the bootstrap information stored, and the method to be used to seed the virtual MFA, for example, QRCodePNG or Base32StringSeed. The seed information should be destroyed after the virtual device is provisioned.
After executing the command, the result file contains the configuration key. Manually, enter this configuration key in your Google Authenticator app. Make sure to select the Time base checkbox. After entering the configuration key, copy two consecutive codes from Google Authenticator app, which are required to associate virtual MFA device with the specific user.
In the command used to enable the MFA device, we associate the MFA device with the user, specify the IAM user name, the device ARN (MFA serial number), and the authentication code emitted by the device.
The virtual MFA app can run on smartphones, which makes them more convenient than hardware MFA devices. However, this also makes virtual MFA less secure than hardware MFA. Save the secret key in a secure place when you configure the virtual MFA device. This will help you reconfigure the app to use the same virtual MFA in case you lose your phone.
As you need to have physical access to the smartphone or hardware device to configure the virtual MFA, it is preferable to grant the users access to provision and manage their MFA devices. In addition, you can deny these users access to AWS resources until they authenticate using their provisioned MFA device.