Multi-Factor Authentication (MFA) on AWS

Zeeshan Baig
Jun 15, 2019 · 5 min read
Image for post
Image for post
www.datanextsolutions.com

Overview

I will be posting a series of some cool articles related to AWS security, some are required to use Multi-Factor Authentication (MFA) so here is a basic one how to enable MFA on AWS.

Probably many of you already familiar with using MFA login in a web browser, In this post, I will also share how to use MFA login on AWS CLI.

Create IAM User

The first step is to create an IAM user if you don’t have one using the AWS Console. Make sure you allow console access or programmatic access (if required)

In this example, I am creating a user called mfatest

Enable MFA

To enable MFA on IAM User, open AWS Console > IAM > Users > select the user you want to enable MFA. In my example, it is user mfatest.

Click on the Manage under Assign MFA device section

Image for post
Image for post

Select the MFA device you want to use, the most common these days in Virtual MFA device, you can use Google Authenticator app on your mobile device to use Virtual MFA.

Image for post
Image for post

Note: Just in case you are not familiar with the Physical MFA devices, they look like the following ;-)

Image for post
Image for post
Image by Google Images

Scan the barcode with the Google authenticator app

Image for post
Image for post

On Google Authenticator app click the + sign and choose Scan barcode

Image for post
Image for post

The App will automatically detect the settings and displays the 6 digit number which expires every 30 seconds or so.

Image for post
Image for post

Go back to AWS Console and enter the next 2 sequences of the Token from Google Authenticator app and click OK

Image for post
Image for post

Once the sequence matches the MFA would be enabled for the IAM user

Image for post
Image for post

Using MFA on Web Browser

Copy the URL sown under Summary as Console sign-in

Image for post
Image for post

Enter User ID and Password

Image for post
Image for post

Enter MFA code from Google Authenticator app or other MFA devices on Submit you should see the AWS console.

Image for post
Image for post

Using MFA on AWS CLI

Setting MFA on CLI is a bit tricky.

First, make sure you have Enabled the programmatic access of the IAM user (see the create user slide earlier)

I have also attached the custom policy on IAM User to Force MFA when using AWS services, check this AWS documentation link for more info

I have added a new profile of mfatest user to use with AWS CLI

$ vi ~/.aws/credentials[mfatest]
aws_access_key_id=AKIA3XXXXXXXXXXMX
aws_secret_access_key=AXXXXXXX3KXXXXXXsxZ

Copy the MFA device URL from AWS console as shown with the Assign MFA Device (we need this in the following commands)

Image for post
Image for post

Execute the following command to get temporary access and secret keys from AWS, you need to pass the token from MFA device

Note: make sure pass MFA Device URL to serial-number and pass MFA device token to token-code

$ aws sts get-session-token — serial-number arn:aws:iam::0080000000:mfa/mfatest — profile mfatest — token-code 757641

The response would contain the temporary Access Key, Secret Key and Session Token which is valid till the expiration time

{
“Credentials”: {
“AccessKeyId”: “ASIA3YQR7W7XXXXXBK56A”,
“SecretAccessKey”: “U5jeemYSXXX3dtFwgeXvbM/jPq/CJDkPKx”,
“SessionToken”: “FQoGZXIvYXdzEPf//////////wEaDDrEdJtDMLVJuXciEiKwAXtzQ+gG2KsVzSjS8uLmkvTGzdMOrIdNW7VvelmSRMH0SXXXXXZlBXKcQekmwuEWrKuKMtv+3HYVGHC6kH7ZT8CyvL79KT3X9R3KlAUdqCQYktRq6TOouYKHFHrm6GZNk2i9cq18KJq9legF”,
“Expiration”: “2019–06–16T09:09:46Z”
}
}

You can add these credentials to your AWS CLI config or use environment variables to set up, see this post for more info

In my example, I set in AWS CLI configuration as a new profile called mymfa

$ vi ~/.aws/credentials[mfatest]
aws_access_key_id=AKIA3XXXXXXXXXXMX
aws_secret_access_key=AXXXXXXX3KXXXXXXsxZ
[mymfa]
output = json
region = us-east-1
aws_access_key_id = ASIA3YQR7W7AQZZBK56A
aws_secret_access_key = U5jeemYSdCDULxPya3dtFwgeXvbM/jPq/CJDkPKx
aws_session_token = FQoGZXIvYXdzEPf//////////wEaDDrEdJtDMLVJuXciEiKwAXtzQ+gG2KsVzSjS8uLmkvTGzdMOrIdNW7VvelmSRMH0SXvzJ1NsOigia/7bZlBXKcQekmwuEWrKuKMtv+3HYVGHC6kH7ZT8CyvL79KT3X9R3KlAUdqCQ0H4Bv6HrJqgC+KUoiBnE4/xBG8lR45jZ45n6Ds7YsLvthhTWg1SBddBC+uMLSRNoBjj/O/MMSXTieGUmsL0INA2mu0YktRq6TOouYKHFHrm6GZNk2i9cq18KJq9legF
~

Now try to access AWS using CLI as following, in my example I am getting an exception if I don’t pass the MFA token

$ aws s3 ls — profile mfatestAn error occurred (AccessDenied) when calling the ListBuckets operation: Access Denied

After getting temporary credentials from AWS using MFA token, I can list S3 buckets in my account when using another profile called mymfa

Image for post
Image for post

Conclusion

In this post, we have covered how to setup Multi-factor authentication in AWS. I will be posting some advance security topics in coming weeks which would need MFA setup so this post would work as a reference.

Hope you like this post.

@IamZeeshanBaig

About DataNext

DataNext Solutions is a US based system integrator, specialized in Cloud, Big Data, DevOps technologies. As a registered AWS partner, our services comprise of any Cloud Migration, Cost optimization, Integration, Security and Managed Services. Click here and Book Free assessment call with our experts today or visit our website www.datanextsolutions.com for more info.

DataNext Solutions

Cloud | Security | DevOps | Big Data

Zeeshan Baig

Written by

Cloud Security Expert & CEO of DataNext Solutions, helping people every day with the latest tech. Connect @LinkedIn http://bit.ly/zb-linkedin

DataNext Solutions

DataNext Solutions is a US based system integrator, specialized in Cloud, Big Data, DevOps technologies. As a registered AWS partner, our services comprise any Cloud Migration, Cost optimization, Integration, Security and Managed Services.

Zeeshan Baig

Written by

Cloud Security Expert & CEO of DataNext Solutions, helping people every day with the latest tech. Connect @LinkedIn http://bit.ly/zb-linkedin

DataNext Solutions

DataNext Solutions is a US based system integrator, specialized in Cloud, Big Data, DevOps technologies. As a registered AWS partner, our services comprise any Cloud Migration, Cost optimization, Integration, Security and Managed Services.

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store