AWS | Adding MFA to a User Account

As we’ve created our Terraform user in a previous post, we now need to take steps to increase our security. As previously explained the account we’ve created doesn’t require a password, which is a good thing, but on the flip side its programmed into our Terraform script files. I will be creating a post at some point to expand on our script files to make them more secure and dynamic.

One step we can easily take is to add MFA (Multi Factor Authentication) to our account and this can be done very easily with a smartphone.

The Process

Lets get logged into the management console with an account that has permissions to edit IAM (Identity and Access Management) user properties. We’ll navigate over to the IAM service dashboard either by using the search bar at the top of the page or if, like me, you’ve already accessed the dashboard before, you will see it in the ‘Recently Visited’ section.

On the main dashboard select ‘Users’ on the left hand side menu

We can see a list of users and if we’ve already enabled MFA on the account. As we can see our ‘Terraform’ account has no MFA enabled so we’re select the username to edit the user properties

To change of settings around security we’ll select the ‘Security Credentials’ tab

We can, again, see that there is no MFA device assigned to this account which we can change by selecting the ‘Manage’ link on the ‘Assigned MFA Device’ line

There are a couple of different options we can use to enable MFA. We first need to decide how our user will provide an additional code. There are three main options:

  1. Virtual MFA Device – these will be software apps like MS Authenticator and Google Authenticator
  2. U2F Security Key – these may be physical USB keys such as the YubiKey product line
  3. Other hardware MFA Device – these may be devices such as physical smartcards

A full list of approved Virtual MFA Devices can be found here: IAM – Multi-Factor Authentication (amazon.com)

I’ll be using MS Authenticator in this example so I will select Virtual MFA Device

The next step is we’ll need to open our Authentication app and select to add a new account. We can then click on ‘Show QR Code’ which we can scan into the authentication app. The app then generates codes for the account which we need to enter into the wizard

Once the codes have been validated, we’ll see a success window

If we look back at the user properties page we can now see an assigned device and also what type of device has been assigned. For us its virtual

 

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.