How to Secure AWS accounts with Multi-factor authentication (MFA)?
- Sign in to the AWS Management Console using your root credentials.
- Click on the AWS account name or number in the upper-right corner of the management console and select Security Credentials from the dropdown menu:
3. On Your Security Credentials page, click the Multi-Factor Authentication (MFA) accordion tab to expand the MFA management panel.
4. On the MFA management panel, check for any enabled MFA device with the Device Type attribute set “Hardware MFA”. If the MFA device listed here does not have the Device Type set to “Hardware MFA”, your AWS root account is not protected using a hardware-based MFA device, therefore does not adhere to AWS security best practices.
5. Repeat steps no. 1–4 for each Amazon Web Services root account that you want to examine.
Using AWS CLI
- Run the list-virtual-MFA-devices command (OSX/Linux/UNIX) using custom query filters to return the ARN of the active virtual MFA device assigned to your AWS root:
aws iam list-virtual-mfa-devices
--assignment-status Assigned
--query 'VirtualMFADevices[*].SerialNumber'2. The command output should return the Amazon Resource Name (ARN) for the virtual MFA device enabled within your root account:
[
"arn:aws:iam::123456789012:mfa/root-account-mfa-device"
]Since Amazon Web Services allows assigning only one MFA device (virtual or hardware) to their client's root accounts if the list-virtual-MFA-devices command output returns a valid ARN (e.g. “arn:aws:iam::123456789012:mfa/root-account-MFA-device”), it means the MFA device currently assigned is virtual, not hardware, therefore the selected root account is not protected using a hardware-based MFA device.
3. Repeat steps no. 1 and 2 for each AWS root account that you want to examine via CLI.
Remediation / Resolution
To implement strong protection for your AWS root account using a Multi-Factor Authentication (MFA) hardware device, perform the following:
Note: Installing and activating a hardware-based MFA device for the AWS root account via Command Line Interface (CLI) is not currently supported.
Using AWS Console
- Sign in to the AWS Management Console using your root credentials.
- Click on the AWS account name or number in the upper-right corner of the management console and select Security Credentials from the dropdown menu:
- On Your Security Credentials page, click on the Multi-Factor Authentication (MFA) accordion tab to expand the MFA management panel.
- On the MFA management panel click the Activate MFA button to initiate the MFA device setup process. Note: If a virtual MFA is already set up, the ‘Activate MFA’ button will not be visible. The virtual MFA will have to be deactivated first.
- Inside the Manage MFA Device dialog box, perform the following actions:
- Select A hardware MFA device option then click Next Step.
- For Serial Number enter the serial number that is usually found on the back of the hardware device.
- For Authentication Code enter the six-digit number generated by the MFA hardware device selected at the previous step. Follow the instructions provided by the device manufacturer to generate the necessary code.
- For Authentication Code 2 wait 30 seconds while the device refreshes the generated code, then enter the next six-digit number into the box. Click Next Step to confirm the details and install the MFA device.
- Click Finish to return to the AWS IAM dashboard. The MFA hardware device is now assigned to your AWS root account and activated. The next time you use your root account credentials to sign in, you must also provide a code generated by the hardware MFA device currently installed.
6. Repeat step no. 1–5 for each AWS root account that you want to protect using a hardware-based MFA device.
👋 Join us today !!
️Follow us on LinkedIn, Twitter, Facebook, and Instagram
If this post was helpful, please click the clap 👏 button below a few times to show your support! ⬇
