To improve the security of your AWS account it is recommended to enable Multi-factor Authentication(MFA). We can enable Multi-factor Authentication for IAM users or for the root user. Multi-factor Authentication adds a layer of security as it requires users to enter a security code while logging into the account. MFA helps you keep your account safe and secure even when the user credentials are compromised. If you are using an Android phone you can use "Google Authenticator" as a virtual device. If you want to know other MFA applications, visit the AWS official page here.
To know more about Multi-factor Authentication, visit the AWS official documentation here.
In this article, we will see the steps to enable Multi-factor Authentication using a virtual device. A virtual Multi-factor Authentication device is nothing but an application or software running on your phone. This application generates a six-digit code that needs to be entered while logging into the account.
Pre-requisites
- AWS Account (Create if you don’t have one).
What will we do?
- Login to AWS.
- Enable MFA
- Disable MFA
Login to AWS
Click here to go to AWS Login Page. Enter your user credentials to login into your AWS account.
Once you successfully login into your AWS account, you will see the screen as follows which is the AWS management console.
Enable MFA
Click on "Services" in the top left of the screen and search for "IAM", click on the result to go to IAM Dashboard.
Here on the IAM dashboard under the "Security Alerts" section, you can see that the root account does not have Multi-factor Authentication(MFA) enabled. Click on the "Enable MFA" link which will take you to the page where you can configure the MFA.
On this page under the "Multi-factor Authentication" section, click on the "Activate MFA" button.
Choose the type of MFA device that you want to be used for Multi-factor Authentication. Here we will see the steps to enable Multi-factor Authentication using a virtual MFA device.
If you are having an Android Mobile device, install "Google Authenticator" applications from the playstore.
Once you have installed Google authenticator on your mobile device click on the "Continue" button.
Click on the "Show QR code" button which will display the QR code, open the Google Authenticator application on your mobile device, add, scan the QR code from the Google authenticator application and add 2 consecutive codes from the Google Authenticator app.
Click on "Assign MFA". This completes the process of enabling MFA.
You will see the pop up as follows with the message that the Virtual MFA has been assigned successfully. Click on the close button to close this pop-up screen.
Now logout from your AWS account to verify if the MFA has been enabled.
Go back to the login page and enter your user credentials. You will see that this time you are asked to enter the "MFA code". This means that even if you enter your user credentials you will still need a code that can be retrieved from the only device you enabled virtual MFA on.
So, even if your user credentials are compromised, access to your account will be restricted and will only be allowed when you enter the MFA code from your mobile device.
Disable MFA
Now if you feel like deactivating the MFA, click on your Account name -- > My Security Credentials on the right side of the screen.
Under the "Multi-factor authentication(MFA)" section, click on manage.
Here choose the action as "Remove" and click on the "Remove" button. Once you remove the MFA device you will no longer be required to provide MFA during login.
In the following screen, you can see that your MFA has been disabled and now you will not be required to enter the MFA code during a login step.
Conclusion
In this article, we saw the steps to enable Multi-factor Authentication using a virtual device. This virtual device is nothing but a Google authenticator application on your mobile. We saw how MFA can help us improve security for our AWS account. We also saw the step to disable the MFA from our AWS account. It is always recommended to enable MFA for the AWS account, so to improve the security of your account enable the MFA right now.