Quick steps to enable AWS multi-factor authentication (MFA)

AWS secures the underlying infrastructure, but organisations are responsible for locking down account access and integrity. Here is how to simply establish MFA on AWS.

IT organisations on the road to AWS can leave access doors wide open behind them.

While comprehensive cloud security costs money and involves complex procedures, multifactor authentication (MFA) is one simple way to protect AWS workloads without much additional spending.

What is MFA?

AWS Multi-Factor Authentication requires users to provide unique identification to log in to their AWS cloud environment, in addition to their regular sign-in credentials. This little extra step makes a huge difference to AWS security. If unauthorized people somehow get ahold of login credentials, they still need this additional authentication to access the account. MFA can stop attacks before they even begin.

In 2014, code hosting and project management services provider Code Spaces was put out of business after an attacker got access to its AWS console. In an attempt to extort money, the attacker deleted all of the company’s S3 buckets, snapshots of Elastic Block Store volumes and Amazon Machine Images. Code Spaces couldn’t recover after losing almost all of its customers’ data. The company reported that it actually had a decent degree of redundancy in place for expected losses during normal operations but was vulnerable to someone with high-level privileges and account access.

This incident should be a lesson to any company employee with AWS credentials; especially admin-level permissions. It could have been avoided with AWS multi-factor authentication features enabled.

How do I enable MFA?

To enable AWS MFA log in to AWS Management Console and go to the Identity and Access Management services. Once here choose a user, go to their Security credentials tab. Next to Assigned MFA device, click Manage. Select the MFA type you want to use, and then follow the on screen instructions.