This guide is part of the Amazon Web Services (AWS) Essentials tutorial and will help you through the process for setting up a device to perform Multi-Factor Authentication (MFA). This additional layer of security should be used for all accounts, but most importantly for your root account. The steps that follow will work for all user accounts.
Version Notes: Created on October 8, 2023.
Getting Started
Your Amazon Web Services (AWS) root user has access to do everything in your account. As a result, it is critical that it be kept secure. In addition, other users may have permissions to perform functions that can be destructive or cost you money. Turning on MFA is something that should be a standard practice for all accounts.
NOTE: You are responsible for any costs associated with your Amazon Web Services (AWS) account.
To begin, search for IAM in the search field at the top of the page and click on the IAM Service. Note that if you click the star beside IAM, it will add it to the top of your console as a favorite. This will be helpful as you use certain services repeatedly.
MFA Alert
If MFA is not enabled for the account, you will see a Security Recommendation at the top of the IAM Dashboard.
Click Add MFA.
Select an MFA Device
There are three types of MFA devices that you can use.
Authenticator App is an application you install on your mobile phone which will provide you with security codes that can be entered into AWS when logging in.
Security Key is a USB token that you insert into your computer when logging in. It serves as a physical key in that you will not be able to login to AWS as this user unless that key is inserted.
Hardware TOTP Token is a physical token that provides security keys which change every 30 seconds. When logging in, you will be prompted to enter the current security key from this token. This token functions in the same manner as the Authenticator App, but is a stand-alone token.
For the purposes of this tutorial, I will only be discussing the Authenticator App option.
Enter a name for this device (any name will do)
Select Authenticator App
Click Next
Setup Device
There are many authenticator apps available for your phone such as Google Authenticator, Authy, LastPass Authenticator, and a bunch of others.
Choose an app that works for you and install it on your phone. Launch the authenticator app on your phone and tap the button to add a new account.
Click the Show QR Code link.
Scan the QR code displayed on the screen
This should automatically add AWS as an account and you will start seeing security codes for AWS.
You need to enter 2 consecutive codes. Enter one. Wait for the next code, then enter it as well.
Click Add MFA
Confirm MFA Device Assigned
You should see a message at the top of the screen indicating that the MFA device is now setup.
All Done
Multi-Factor Authentication (MFA) is now setup for this account. Whenever you login to this account, you will be prompted to provide the security key from the Authenticator App on your phone. It is highly recommended that you enable this for all your user accounts.
You may return to the Amazon Web Services Essentials tutorial for the additional steps.