Using Multi-Factor Authentication (MFA) AWS

 









What's MFA?

It's a tool to add extra security by providing unique authentication system via an AWS supported MFA mechanism along with their regular sign-in credentials for accessing AWS websites or services. They are as follows:
  • Virtual MFA Devices- It's a software app that runs on mobiles or other devices, and can generate a six-digit numeric code according to a time-synchronized one-time password algorithm. 

  • FIDO Security Key- It's a device that can be plugged-in to a computer's USB port. The enabled FIDO2 security key allows you to sign-in via your security credentials and then simply tapping it not manually entering the code.

  • Hardware MFA Device- Similar to the virtual MFA devices, this one also generates a six-digit numeric code according to a time synchronized one-time password algorithm. Each MFA device assigned to a user should be unique.

NOTE- SMS text message-based MFA- The support to enable an SMS MFA has ended by AWS and it's recommended that customers with users having this type of MFA , should switch to any of the above discussed ones.

Enabling MFA Devices for Users in AWS

The type of MFA device being used, decides the method of their configuration.

General Steps for Enabling MFA Devices

  • Select any one of the MFA devices- a virtual MFA device, a FIDO security key, or a hardware-based MFA device- and you will be allowed to enable only one per AWS account root user or IAM user.

  • Now, IAM users with virtual or hardware MFA devices can enable them either from AWS Management Console, CLI, or the IAM API; while those with FIDO security keys can enable them via AWS Management Console only. However, AWS account root users with any type of MFA device can also enable them via AWS Management Console only.

  • After the above steps, you can easily use the MFA device to log-in to or access AWS resources.

However, in order to access the MFA-protected API operations, the following are required:
  1. An MFA code.
  2. The identifier for the MFA device.
  3. The usual access key ID and the secret access key.
Enabling a Virtual MFA Device (Console)

A phone or any other device can be used as a virtual MFA device having a mobile app compliant with RFC 6238, a standards-based TOTP algorithm. A six-digit authentication code will be generated as they generally run on unsecured mobile devices. Hence, it's highly recommended to use a virtual MFA device while waiting for a hardware purchase approval or hardware to arrive. Although, most of them supports the use of multiple virtual devices allowing you to use the same app for various AWS accounts or users, only one MFA device per user can be enabled.









































Comments

Popular posts from this blog

Deployment (Part 3)

Project Resourcing (Part 2)

Design Planning (Part 3)