Back to: AWS Tutorials For Beginners and Professionals
IAM MFA in AWS:
In this article, I am going to discuss IAM MFA in AWS. Please read our previous article where we discussed IAM Policies Hands-On in AWS.
IAM MFA in AWS:
Now that we have created users and groups, it is time for us to protect these users and groups from being compromised. for this, we can have two defense mechanisms. The first one is to define what’s called a Password Policy. Why? because the stronger the password you use the more security for your accounts. in AWS, you can set up a password policy with different options.
The first one is you can set a minimum password length, and you can require specific character types, for example, you may want to have an uppercase letter, lowercase letter, number, non-alphanumeric characters, for example, a question mark, and so on. Then you can allow or not, IAM users to change their own passwords or you can require users to change their password, after some time, to make your password expire, for example, say every 90 days, users have to change their passwords.
Finally, you can also prevent password reuse that users when they change their passwords, don’t change it to the one they already have or change it to the one they had before. this is great, a password policy, really is helpful, against brute force attacks on your accounts. and they can possibly do a lot of things, especially if they’re, administrators, they can change the configuration, delete resources, and other things. So you absolutely want to protect at least your Root Accounts and hopefully all your IAM users. So how do you protect them on top of the password? Well, you use an MFA device. So what is MFA? MFA is using the combination of a password that you know, and a security device that you own, and these two things together, have much greater security than just a password. So for example, let us take Alice.
Alice knows her password, but she also has an MFA generating the token, and by using these things together while logging in, she is going to be able to do a successful login on MFA. So the benefit of MFA is that even if Alice has lost her password because it’s stolen or it’s hacked, the account will not be compromised because the hacker, will need to also get a hold of her physical device of Alice that could be a phone for example to do a login. Obviously, that is much less likely. So what are the MFA devices option in AWS, and you should know them going to the exam but don’t worry they’re quite simple.
The first one is a Virtual MFA device, this is what we’ll be using in the hands-on and so you can use Google Authenticator, which is just working on one phone at a time, or using AUTHY which is a multi-device they both work the same except one is multi-device. Personally, I use AUTHY because I like the fact that I can use it on my computer and on my phone. For AUTHY you have support for multiple tokens on a single device.
So, that means that with a Virtual MFA device, you can have your root account, your IAM user, another account, and another IAM user, you can have as many users and accounts as you want on your Virtual MFA device, which makes it a very easy solution to use.
Now we have another thing called a Universal 2nd Factor or U2F Security Key, that is a physical device, for example, a YUBIKEY by YUBICO and YUBICO is a 3rd party to AWS, this is not the AWS that provided, this is a 3rd party we use a physical device because maybe it’s super easy, you put it your Key Fobs you’re good to go. So this YUBIKEY supports multiple roots and IAM users using single security so you don’t need as many keys as users otherwise that will be a nightmare.
Then your other options, you have a Hardware Key Fob MFA device for example this one provided by GEMALTO which is also a third party to AWS, and finally, if you are using the cloud of the government in the US, the AWS GOVCLOUD then you have a special Key Fob, that looks like this, that is provided by SUREPASSID which is also a 3rd party.
In the next article, I am going to discuss IAM MFA Hands-On in AWS. Here, in this article, I try to explain IAM MFA in AWS and I hope you enjoy this IAM MFA in AWS article.
About the Author: Pranaya Rout
Pranaya Rout has published more than 3,000 articles in his 11-year career. Pranaya Rout has very good experience with Microsoft Technologies, Including C#, VB, ASP.NET MVC, ASP.NET Web API, EF, EF Core, ADO.NET, LINQ, SQL Server, MYSQL, Oracle, ASP.NET Core, Cloud Computing, Microservices, Design Patterns and still learning new technologies.