1. Home
  2. Training Library
  3. Amazon Web Services
  4. Amazon Web Services Courses
  5. Introduction to Security Best Practices for Linux Instances on AWS

How to enable Multi-Factor Authentication

Start course

Launching your EC2 instance is just the first step to becoming an AWS professional: securing your cloud resources is something you just can't ignore. In this course the experienced Linux System Administrator David Clinton will share some common best practices to enhance your infrastructure security.

You'll learn how to manage access to your instances with IAM and Multi Factor Authentication, how to encrypt your storage, how to keep your Linux instance updated with security patches, how to monitor your system and your network to ensure that nobody unauthorized is using your resources, and finally, the basic principles of penetration testing and how to use nmap to ensure that your security group is properly configured.

Who should take this course

This course is aimed even at beginners with little or no experience with cloud security. Some basic knowledge about Linux system administration, TCP/IP, and security topics are recommended.

To increase your knowledge, you may want to check our many AWS courses, in particular the ones introducing EC2 and S3. And why not take the challenge and try out a quiz?


Hi, and welcome to CloudAcademy.com's video series on security and particularly security in the AWS Amazon system. In this video we're going to talk about MultiFactor Authentication or MFA. We've already discussed passwords and they're critically important but they have their limits. For instance, the passwords that your users will choose are often too easy to guess or too easy to hack. They're not long enough, they contain only letters or they reflect birth dates of their children or something like that, sometimes the user will use one password for many many accounts for his or her shopping accounts and credit card accounts and for email accounts. If any one of these accounts is hacked, then every other account using the same password is suddenly vulnerable.

Sometimes passwords are good and they're used only for particular systems but they're just not updated frequently enough. It can go years sometimes without updating passwords and if there's a vulnerability on a system at any point during those years, then every activity thereafter is vulnerable.

Finally, passwords no matter how good they may be are vulnerable to spoofing, either email spoofs where somebody might send an email to a user claiming to be from the company administration and requesting that they log on to a particular web page and use their password to get into their account when in fact it's a webpage that may look like it's coming from this company but it's actually created by someone else who's harvesting usernames and passwords. Or it could be a telephone spoof somebody in the company is big enough calling up and claiming to be from IT from Information Technology Department, and saying we got a bit of a problem with your account would you mind just telling us your username and password over the phone and we'll clear that up right away.

This is actually sometimes the most effective type of vulnerability that passwords and accounts could be subject to. So passwords on their own for sensitive data often just aren't enough.

We can add another layer of protection to an account using MFA MultiFactor Authentication an MFA-enabled system might make use of one or another form of hardware device whose physical proximity to the computer which is attempting to log in to the system would offer an extra layer of guarantee, an extra layer of assurance that the user in fact is the user that you've given these authorities to. You could also use a virtual device, even if not all of your employees necessarily have or want access to another small physical device, they nearly all have smartphones to which can be downloaded software to create a virtual MFA device. Let's say if we're using an Android smartphone you might go to Google Play Store and download a software like Google Authenticator.

Once you've set that up on your smartphone we'll enable MFA on our Amazon account and then we'll associate the smartphone with its MFA software to our account. Let's go to IAM and we see that the root account MFA is currently disabled, click on manage MFA device. We will select a virtual MFA device because we're working with the smartphone that our user happens to own anyway. We'll continue and we'll use the scanner, the QR code scanner that is associated with Google Authenticator to scan this QR code.

And that will present us with first one and then a second authentication code, usually the first code will be visible for about 30 seconds and then it will be replaced by a second code, and a third, and a fourth and a fifth. We're not going to worry about those. But the nice thing about the system is that these pass codes are forgotten once they are more than a couple of minutes old they become invalid.

So even if somebody was looking over your shoulder somehow manage to make a note of the code that you're entering, it'll be useless to him or her in another few minutes. So you enter the first two codes that you see one after the other and you click on continue and you're done.

This smartphone will now be associated with this Amazon account. The next time the user wants to log in through a PC to the Amazon account, he'll be asked to use the Google authenticator on his smartphone to add that physical hardware factor to authentication.

About the Author
Learning Paths

David taught high school for twenty years, worked as a Linux system administrator for five years, and has been writing since he could hold a crayon between his fingers. His childhood bedroom wall has since been repainted.

Having worked directly with all kinds of technology, David derives great pleasure from completing projects that draw on as many tools from his toolkit as possible.

Besides being a Linux system administrator with a strong focus on virtualization and security tools, David writes technical documentation and user guides, and creates technology training videos.

His favorite technology tool is the one that should be just about ready for release tomorrow. Or Thursday.