Table of contents
Introduction
Multi-Factor Authentication (MFA) adds an extra layer of security to your AWS environment by requiring users to provide an additional authentication factor beyond their username and password. In this step-by-step guide, I will be walking you through the process of adding MFA to an IAM user in AWS using Google Authenticator, a popular two-factor authentication app.
Prerequisites:
An AWS account with administrative access.
A smartphone or tablet with the Google Authenticator app installed.
Step 1: Sign in to the AWS Management Console
Go to the AWS Management Console (https://console.aws.amazon.com) and sign in using your AWS account credentials. Access the IAM service: Once logged in, search for "IAM" in the AWS Management Console search bar and select the IAM service from the results.
Step 2: Navigate to "Users" in the IAM console
In the IAM console, on the left-hand side, click on "Users" under the "Access management" section. This will display a list of existing IAM users in your account. In my case I have none, so I have to click the add users on the top right corner.
Step 3: Specify User Details
Here, we have to specify user details by supplying the necessary information as required such as user name, type of user, password(autogenerated or custom), etc. You can also choose to enable programmatic access (which generates access keys for API access) and AWS Management Console access (which allows the user to log in to the AWS Management Console).
You can also enable the user to change the password upon sign in which is highly recommended.
Step 4: Set user permissions
Now we have to set permissions: you can choose to add the user to an existing group or attach policies directly to the user. Groups are a convenient way to manage permissions for multiple users, as you can assign policies to a group, and any user added to that group inherits the group's permissions.
Step 5: Configure Tags, Review, and Create
Here, you can assign key-value pairs as tags to the user. Tags provide additional metadata and can be useful for organizing and managing your IAM users. I used Department- Engineering as below.
Step 6: Download the Access key and Secret Access Key
After setting up the user details, permissions, and tags, review the configuration. Make sure everything is accurate, and then click on the "Create user" button. Before you leave the page, kindly download the CSV file because it will no longer be available.
How to add a user to MFA
Prerequisites:
- Download the Google Authenticator App on your mobile phone available on google play and IOS AppStore.
Step 1: Sign in to the AWS Management Console
Go to the AWS Management Console and access the IAM Service. In the IAM console, on the left-hand side, click on "Users" under the "Access management" section. This will display a list of existing IAM users in your account. Then click on the user you just created. For me, I gave the user the name “favboladale” as seen below.
Step 2: Enable MFA for the User
With the user selected, click on the "Security credentials" tab. Under the "Multi-factor authentication (MFA)" section, click on the “Assign MFA Device” button.
Step 3: Choose the "Virtual MFA device" option
Select the "Virtual MFA device" option to use the Google Authenticator app as the MFA device.
Once you click a new page will pop up, provide the name for your MFA, select Authenticator App, and click next.
Step 4: Set Up the Virtual MFA Device
In this step, you have two options to set up the virtual MFA device:
a. Use QR Code: Open the Google Authenticator app on your smartphone or tablet, tap the "+" symbol to add a new account, and select the "Scan a barcode" option. Scan the QR code displayed on the AWS console.
b. Use Secret Key: If you are unable to scan the QR code, you can manually enter the secret key displayed on the AWS console into the Google Authenticator app.
Then this page will come up
Step 5: Enter the Generated MFA Codes
The Google Authenticator app will generate a 6-digit verification code. Enter the first verification code into the "Authentication Code 1" field on the AWS console, and then enter the second verification code into the "Authentication Code 2" field.
Step 6: Verify and Complete MFA Setup
After entering the verification codes, click on the "Assign MFA" button to complete the MFA setup for the IAM user.
Step 7: Test MFA Setup
To ensure that MFA is working correctly, sign out of the AWS Management Console and sign back in. When prompted, enter your username and password, and then provide the current 6-digit verification code from the Google Authenticator app.
Conclusion
Enabling MFA for IAM users adds an extra layer of security to your AWS environment by requiring users to provide an additional authentication factor. By following the step-by-step instructions outlined in this guide, you can easily add MFA to an IAM user in AWS using the Google Authenticator app. Protecting your AWS resources with MFA helps safeguard against unauthorized access and enhances the overall security of your cloud infrastructure.
To learn more about best practices and strategies to secure your cloud resources, implement identity and access management (IAM) policies, set up network security controls, and comply with industry standards and regulations, check out other blog posts I have on AWS IAM.
AWS IAM: Strengthening Security and Access Control in the Cloud
How to Create IAM Roles in AWS
How to Limit a User's Access Using the AWS IAM
Remember to subscribe to stay updated with the latest posts, and feel free to share your favorite blog posts with friends and family who crave engaging and enriching content. Happy reading!