Enabling MFA


Getting Started
Introduction to IAM
IAM basic concepts
Practical example
Start course

As your organization grows, more and more people are going to need access to your cloud resources. The ability to create and assign granular permissions is crucial to ensure the safety of your data and to avoid unauthorized access to reserved information.

Identity and Access Management (IAM) is the AWS tool that gives you centralized control over your AWS resources. It allows you to create fine-grained policies using JSON syntax to grant unique privileges to each and every available resource. This course will tell you everything you need to know to get started hardening your infrastructure.

Who should take this course

As a beginner to intermediate course, you'll require no previous experience, nevertheless some knowledge of AWS and its main services (like EC2 and S3) would really help you better understanding the concepts you'll encounter. You may therefore want to check out other AWS courses before tackling this tutorial.

Do you have questions on this course? Contact our cloud experts in our community forum.


In this video, we'll explore Amazon's Multi-Factor Authentication or MFA feature. I'm sure most of you already know about many of the security problems associated with passwords. We need them but they're just not good enough on their own. Most of the time they're too easy to guess, or hack or they're used too often on too many accounts and if any one of those accounts is hacked then every account they've been used for is suddenly vulnerable or they're simply not updated frequently enough. Therefore, MFA allows you to add another layer of security on top of the password. The first step is to either provide your user with a dedicated hardware MFA device or more commonly software for a smartphone like Google Authenticator. Note that AWS requires a virtual MFA application that produces a six digit OTP. Let's go to IAM and then "Users" and let's click on "User Alice." Alice doesn't yet have any MFA setup on the system so let's manage her MFA device.

We can choose between a virtual device or a hardware MFA device. We'll choose virtual and go to the next step. We'll read that notice and go to the next step again. And Alice will get out her smartphone, use her scanning app on the smartphone to scan this QR code which will cause Google Authenticator or whichever authentication software she's using to display one after the other six digit codes, authentication codes. Alice will type in the first code and then the second code and click on "Next step" and she'll be authenticated. Now the next time Alice needs to login to any one of the AWS services provided on this account she will enter her password, her account name and password and then be prompted for an authentication code.

This authentication code will automatically be sent to her smartphone. She'll just copy it or type it from the smartphone into the prompt and she'll be allowed in. This works by the way not only for console logins but also for API's. Of course, these things sometimes fail. Let's go back to users. Sometimes a smartphone is lost or stolen or for some reason just doesn't work properly anymore.

Let's see how we can manage an MFA device. Let's go to Alan. Alan already has an MFA device setup on his account. Let's manage his MFA device. Here we have a choice. .We can keep the existing MFA device. We can re-synchronize the MFA device sometimes the software hasn't failed but it simply needs re-synchronizing or we can deactivate an MFA device if it's been stolen or lost. This works if you are the root user of the account and you've login to your root account for AWS and you're managing Alan's devices for him. However, if the MFA device associated with the root account is lost or compromised you'll have to contact AWS support to work through that problem. In any case, let's click on "Deactivating an MFA device" and we now see that the multi factor authentication device says, "No." There is at this point once again no MFA device associated with Alan's account.

About the Author
David Clinton
Linux SysAdmin
Learning Paths

David taught high school for twenty years, worked as a Linux system administrator for five years, and has been writing since he could hold a crayon between his fingers. His childhood bedroom wall has since been repainted.

Having worked directly with all kinds of technology, David derives great pleasure from completing projects that draw on as many tools from his toolkit as possible.

Besides being a Linux system administrator with a strong focus on virtualization and security tools, David writes technical documentation and user guides, and creates technology training videos.

His favorite technology tool is the one that should be just about ready for release tomorrow. Or Thursday.