Multi-factor authentication (MFA) is a security feature that requires users to provide more than one piece of information to verify their identity when they access AWS resources. MFA can help protect your AWS account from unauthorized access and enhance the security of your data.
In this blog post, I will show you how to set up MFA for your AWS account using the Microsoft Authenticator app, which is a virtual MFA device that runs on your smartphone and generates a six-digit code based on the time-based one-time password (TOTP) algorithm.
You can use this code along with your regular sign-in credentials to access the AWS Management Console or the AWS CLI.
Step 1: Install the Microsoft Authenticator app on your smartphone
You can download the Microsoft Authenticator app from the App Store for iOS devices or the Google Play Store for Android devices. Follow the instructions on the app to set it up and add your personal account.
Step 2: Enable MFA for your AWS account root user or IAM user
Depending on whether you want to enable MFA for your AWS account root user or an IAM user, you need to follow different steps.
For the AWS account root user:
- Log in to the AWS Management Console with your root user credentials and go to the Security Credentials page.
- In the Multi-factor authentication (MFA) section, click on “Assign MFA Device“.
- Choose the “Authenticator app” as the MFA type and click on Continue.
- On your smartphone, open the Microsoft Authenticator app and tap on the plus (+) icon to add a new account.
- Choose Other account (Google, Facebook, etc.) as the account type and scan the QR code displayed on the AWS console with your phone’s camera.
- The app will generate a six-digit code for your AWS account. Enter this code in the first text box on the AWS console and wait for a few seconds until the app generates a new code. Enter the new code in the second text box and click on Assign MFA.
- You will see a confirmation message that MFA has been successfully enabled for your root user.
For an IAM user:
- Log in to the AWS Management Console with your IAM user credentials and go to the IAM dashboard.
- In the navigation pane, click on Users and select the user name for whom you want to enable MFA.
- In the Security credentials tab, click on the pencil icon next to Assigned MFA device.
- Choose Virtual MFA (Authenticator app) device as the MFA type and click on Manage.
- Follow the same steps as for the root user to scan the QR code with the Microsoft Authenticator app and enter the codes on the AWS console.
- Click on Enable MFA to complete the process.
Step 3: Sign in to AWS with MFA
After you have enabled MFA for your AWS account root user or IAM user, you will need to provide the six-digit code from the Microsoft Authenticator app along with your regular sign-in credentials whenever you access the AWS Management Console or the AWS CLI.
For the AWS Management Console:
- Go to the AWS sign-in page and enter your username and password as usual.
- On the next page, you will see a prompt to enter your MFA code. Open the Microsoft Authenticator app on your smartphone and find the code for your AWS account. Enter this code in the text box and click on Submit.
- You will be redirected to the AWS Management Console.
For the AWS CLI:
- Before you can use the AWS CLI with MFA, you need to create a temporary session token that includes the MFA code. You can do this by using the
[aws sts get-session-token]
command with the--serial-number
and--token-code
parameters. - The
--serial-number
parameter is theARN
of your virtual MFA device, which you can find on the Security Credentials page for the root user or the IAM dashboard for the IAM user. It has the formatarn:aws:iam::account-id:mfa/user-name
. - The
--token-code
parameter is the six-digit code from the Microsoft Authenticator app for your AWS account. - For example, if your account ID is
123456789012
, your user name isWick
, and your code is123456
, you can run the following command:
aws sts get-session-token --serial-number arn:aws:iam::123456789012:mfa/Alice --token-code 123456
- The command will return a JSON output that contains the temporary access key ID, secret access key, session token, and expiration date. You can use these values to set the
AWS_ACCESS_KEY_ID
,AWS_SECRET_ACCESS_KEY
, andAWS_SESSION_TOKEN
environment variables or store them in a profile in the AWS credentials file. - After you have set up the temporary credentials, you can use the AWS CLI as usual with MFA.
Conclusion
In this blog post, I have shown you how to set up MFA for your AWS account using the Microsoft Authenticator app, which is a virtual MFA device that runs on your smartphone and generates a six-digit code based on the TOTP algorithm.
MFA can help you protect your AWS account from unauthorized access and enhance the security of your data. I hope you found this post useful and informative. If you have any questions or feedback, please leave a comment below. Thank you for reading!