One of the key components to cloud security and a question we hear all the time is around the use of multi-factor authentication (MFA). Implementing MFA is considered more secure than a simple user name and password, because it requires anyone logging in to have something they know (user name and password) and something they have (MFA device).
Implementing MFA on the Root Account is even more important to ensure the integrity of the entire environment. JHC Technology always recommends protecting the Root Account. To do this, we create various security groups and users under the Root Account. Access is then controlled by the security groups and IAM users. For more on IAM and assigning permissions, please click here.
MFA devices can either be physical or virtual. For this entry, I’m going to walk you through the steps to implement an Android virtual MFA with an Amazon Web Services (AWS) account.
This entry does not cover the creation of an AWS account. If you haven’t created an account, visit http://aws.amazon.com. Before we get started, it’s also important to have downloaded and installed two applications: AWS Virtual MFA and ZXing Barcode Scanner (both are free). Before beginning, I highly encourage the review of the MFA FAQs, located here.
Let’s get started:
- Sign in to your AWS Account:
- Select IAM from the Management Console.
- Under Security Status, you will see that the Root Account MFA is Disabled. Click on “Manage MFA Device”.
- We are activating a virtual MFA device. Ensure this option is selected and click Continue.
- Since we have already installed the AWS
MFA-compatible application, select Continue.
- You will be prompted by the following screen, which is where you need to utilize your Virtual MFA Device. Do not close this window.
- Launch the AWS Virtual MFA from your Android device.
- Click on your device’s menu button and select Scan QR Code.
- Once this code is scanned, it will present your
associated account on the MFA application.
- Now you are prepared to finishing authorizing your device. Looking back at your browser window, you will see that in order to synchronize the device, you need to enter two consecutive Authentication Codes. You will use your Virtual MFA to generate these codes.
- Tap the account name on your Virtual MFA. It will generate a six digit code such as this:
- Enter this code into Authentication Code 1 in your browser.
- Tap your account name on the Virtual MFA to generate another six-digit code. If it’s the same code, you’ll need to tap the name again until the code changes. Keep in mind that the codes need to be consecutive, so you can’t wait five minutes in between entering codes.
- Once you generate the next code, enter that into the browser under Authentication Code 2. Once you’ve done this, select Continue.
- If you have entered the consecutive codes appropriately, you will get validation. Click Finish.
- Now you need to test the MFA authentication.
- Logout of your account.
- Begin the process of signing back into your account. Once you have entered your associated email address and password, you will be prompted by a second screen.
- Open your Virtual MFA application and tap the associated account. This will generate your six-digit code to enter. Enter that number in the Authentication Code field and then click the link to sign-in.
Setting up MFA on your root account is a security best practice that is monitored by AWS’s Trusted Advisor (available to customers with Business Level support) and to third-party products such as CloudCheckr.
A few additional notes:
A few additional notes:
- MFA access can also be assigned to individual IAM users. MFA is not just for the Root Account.
- Each Virtual MFA device can support only one MFA account. Read more about this here.
- For AWS GovCloud accounts, Virtual MFA devices are the only option. GovCloud does not currently support hardware MFA devices.
- If you lose your device, or experience other problems with an account that has MFA enabled, you will need to contact AWS to get the issue resolved.
Matt Jordan is the Cloud Services Manager for JHC Technology. He can be reached at mjordan(at)jhctechnology.com, @matt_jhc, or connect with him on LinkedIn.