How to set up multi-factor authentication for an IAM user in AWS

MFA protocols are a simple best practice for increasing the overall access security of AWS cloud services and could prevent costly security breaches in your enterprise.

fingerprint login access on smartphone, data security

Image: anyaburket, Getty Images/iStockphoto

While the benefits of cloud computing services for many business enterprises is well-documented, tapping into all that computational power requires careful and diligent use of security protocols and procedures. Multi-factor authentication is one of the more straightforward and effective cloud service security protocols available and should be implemented as a normal part of your access controls.

Setting up multi-factor authentication (MFA) for Amazon Web Services (AWS) requires the use of a trusted third-party authentication code generator. In general terms, an authentication code generator periodically calculates a unique code that can then be entered into AWS during the login procedure. Access to the code, coupled with the entry of the proper password, verifies your identity and authorization to access AWS. A user must provide both security factors before access will be granted.

This how-to tutorial shows you how to create a simple MFA security protocol using a mobile device. The MFA security protocol can then be applied to a user granted AWS access under the Identity and Management (IAM) system.

SEE: Amazon Web Services: An insider's guide (free PDF) (TechRepublic)

Multi-factor authentication for an IAM user in AWS

Before you can associate an IAM user with the MFA protocol, you must first download and install an authentication code generator application to your smartphone or other mobile device. There are a few apps available for each operating system, but for this example, we are using Authy 2-Factor Authentication for Android, which is available for free on Google Play (Figure A).

a-enable-mfa-for-iam-user-aws.jpg

Figure A

With the generator in place, log in to the AWS console and use the Services menu to navigate to the IAM services section, as shown in Figure B. Use the left-hand navigation pane to select Users.

b-enable-mfa-for-iam-user-aws.jpg

Figure B

On the Users page, select the name of the user you be configuring and then select the Security credentials tab (Figure C). In the list of credentials, find and click the link to manage Assigned MFA devices.

c-enable-mfa-for-iam-user-aws.jpg

Figure C

Choose the appropriate MFA device and click the Continue button. On the next page, Figure D, you will have a choice. If your code generator can read QR codes, click that link and follow the instructions on your mobile device. Alternatively, click the link to show the secret code and type it manually.

d-enable-mfa-for-iam-user-aws.jpg

Figure D

Once the secret code is entered, you will be asked to enter the next two codes generated on your mobile device. Once you enter in the two codes click the Assign MFA button. Take note, if you delay too long before assigning the MFA codes, the setup may fail, and you'll have to start over.

If your setup is successful, you will receive a confirmation notice (Figure E). Click the close button to complete the process.

e-enable-mfa-for-iam-user-aws.jpg

Figure E

Now, the next time that particular IAM user logs in to AWS, they will be asked to enter both a password and the authentication code generated by the app on your mobile device. The extra level of security will help protect your enterprise cloud services on AWS from being accessed by the wrong people.

Also see

By Mark Kaelin

Mark W. Kaelin has been writing and editing stories about the IT industry, gadgets, finance, accounting, and tech-life for more than 25 years. Most recently, he has been a regular contributor to BreakingModern.com, aNewDomain.net, and TechRepublic.