Enable AWS MFA in 10 Steps (With Pictures)

In Amazon’s IAM Best Practices guide, the recommendation for MFA states:

We recommend that you require multi-factor authentication (MFA) for all users in your account. MFA is often used as a stop gap to stop malicious attacks. Knowing that the identity is the first security boundary to your AWS environment, please ENABLE MFA for all users in your account. By enabling MFA you can assure that the administrators logging into the AWS console, are authorized to do so.

To enable MFA, you only need to follow 10 steps:

1. Log into AWS console

2. Click on your user at the top right. In the drop down menu click My Security Credentials

3. Scroll down on the next page

4. Click “Assign MFA device”

   • If you already have an MFA device attached you will see a different button titled “Manage MFA device” You can remove the device on file, and add a new device with this button

5. Choose your MFA device. Click Continue

Many free apps on iphone and android work for “Virtual MFA Device”. I use Google Authenticator (Play Store, Apple Store), and Duo (Play Store, Apple Store) for my MFA adventures

6. Click show QR code

7. Open your MFA application on your mobile device and scan the code in to add the account. Scanning the barcode will add the AWS application to your MFA application

   • For a full DUO guide on adding an application, visit here

8. Scroll down in the MFA window, and enter the first code you see in your mobile phone application into the box “MFA Code 1”

9 . Wait ~30 seconds. Enter the second code you see into box “MFA Code 2”

10. Click the blue button “Assign MFA”

That’s it!

Next time you log into AWS your account will prompt for MFA

If you want to discuss what benefits you might get from an AWS security roadmap please continue reading with my AWS Security Guides or please connect with me.