2-ways to Secure your AWS root account with MFA

  • by

In our previous post, we have seen the process of creating FREE AWS account. We’ve received the registered e-mail address and the password for signing in to AWS Management Console. We will now secure AWS with MFA. Today we will learn how to enable MFA for your AWS root account of AWS Management Console.

You can use a phone or other device as a virtual multi-factor authentication (MFA) device. I personally use Google Authenticator. You can download Google Authenticator from Android Play Store or Apple Store. You may use some other software if you want.

These apps generates a six-digit authentication code. Because they can run on unsecured mobile devices, virtual MFA might not provide the same level of security as U2F devices or hardware MFA devices. We do recommend that you use a virtual MFA device while waiting for hardware purchase approval or while you wait for your hardware to arrive.

Most virtual MFA apps support creating multiple virtual devices, allowing you to use the same app for multiple AWS accounts or users. However, you can enable only one MFA device per user.

Before you enable MFA for your root user, review your account settings and contact information to make sure that you have access to the email and phone number. If your MFA device is lost, stolen, or not working, you can still sign in as the root user by verifying your identity using that email and phone number.

AWS MFA setup

AWS MFA setup can be achieved in few ways. In this article, we will see two of them First, we will set AWS MFA using Google Authenticator. Next, we will explore AWS MFA setup using YubiKey.

How to use Google Authenticator for AWS MFA?

  • Sign in to the AWS Management Console.
  • On the right side of the navigation bar, choose your account name, and choose My Security Credentials. If necessary, choose Continue to Security Credentials. Then expand the Multi-Factor Authentication (MFA) section on the page.
  1. Choose Activate MFA.
  2. In the wizard, choose Virtual MFA device, and then choose Continue. IAM generates and displays configuration information for the virtual MFA device, including a QR code graphic. The graphic is a representation of the secret configuration key that is available for manual entry on devices that do not support QR codes.
  3. Open the virtual MFA app on the device. If the virtual MFA app supports multiple virtual MFA devices or accounts, choose the option to create a new virtual MFA device or account.
  4. The easiest way to configure the app is to use the app to scan the QR code. If you cannot scan the code, you can type the configuration information manually. The QR code and secret configuration key generated by IAM are tied to your AWS account and cannot be used with a different account. They can, however, be reused to configure a new MFA device for your account in case you lose access to the original MFA device.
    1. To use the QR code to configure the virtual MFA device, from the wizard, choose Show QR code. Then follow the app instructions for scanning the code. For example, you might need to choose the camera icon or choose a command like Scan account barcode, and then use the device’s camera to scan the QR code.
    2. In the Manage MFA Device wizard, choose Show secret key, and then type the secret key into your MFA app. The device starts generating six-digit numbers.
  5. In the Manage MFA Device wizard, in the MFA Code 1 box, enter the six-digit number that’s currently displayed by the MFA device. Wait up to 30 seconds for the device to generate a new number, and then type the new six-digit number into the MFA Code 2 box.
  6. Choose Assign MFA, and then choose Finish

The device is ready for use with AWS.

YubiKey for MFA Autentication

Instead of Google Authenticator, you can use a physical device “YubiKey” for multi-factor authentication on AWS. YubiKey uses Universal 2nd Factor (U2F), an open authentication standard that enables users to easily and securely access multiple online services using a single security key, without needing to install drivers or client software.

AWS allows you to enable a YubiKey as the MFA device for your IAM users. You can also enable a single key for multiple IAM and root users across AWS accounts, making it easier to manage your MFA device for access to multiple users.

In the following section, we will see how can we enable YubiKey as MFA.

  1. Sign in to the IAM console.
  2. In the left navigation pane, select Users and then choose the name of the user for whom you want to enable a YubiKey.
  3. Select the Security Credentials tab, and then select the Manage link next to Assigned MFA device.
  4. In the Manage MFA Device wizard, select U2F security key and then select Continue.
  5. Insert the YubiKey security key into the USB port of your computer, wait for the key to blink, and then touch the button or gold disk on your key. If your key doesn’t blink, please select Troubleshoot U2F to review instructions to troubleshoot the issue.
  6. You’ll receive a notification that the security key assignment was successful. The YubiKey security key is ready for use. Select Close.

The Security Credentials tab will now display the U2F security key next to Assigned MFA device. Now that you’ve successfully enabled a YubiKey security key as the MFA device for your IAM user.