In Amazon’s IAM Best Practices guide, the recommendation for MFA states:
We recommend that you require multi-factor authentication (MFA) for all users in your account. MFA is often used as a stop gap to stop malicious attacks. Knowing that the identity is the first security boundary to your AWS environment, please ENABLE MFA for all users in your account. By enabling MFA you can assure that the administrators logging into the AWS console, are authorized to do so.
To enable MFA, you only need to follow 10 steps:
Log into AWS console
Click on your user at the top right. In the drop down menu click My Security Credentials
Scroll down on the next page
Click “Assign MFA device”
Choose your MFA device. Click Continue
Many free apps on iphone and android work for “Virtual MFA Device”. I use Google Authenticator (Play Store, Apple Store), and Duo (Play Store, Apple Store) for my MFA adventures
Click show QR code
Open your MFA application on your mobile device and scan the code in to add the account. Scanning the barcode will add the AWS application to your MFA application
Scroll down in the MFA window, and enter the first code you see in your mobile phone application into the box “MFA Code 1”
9 . Wait ~30 seconds. Enter the second code you see into box “MFA Code 2”
That’s it!
Next time you log into AWS your account will prompt for MFA
If you want to discuss what benefits you might get from an AWS security roadmap please continue reading with my AWS Security Guides or please connect with me.