AWS Multi-Factor Authentication (AWS MFA) provides an extra level of security that you can apply to your AWS environment. You can enable AWS MFA for your AWS account and for individual AWS Identity and Access Management (IAM) users you have created under your account.

AWS MFA uses an authentication device that continually generates random, six-digit, single-use authentication codes. There are two primary ways to authenticate using an AWS MFA device:

• AWS Management Console users: With AWS MFA enabled, when a user signs in to an AWS website, they will be prompted for their username and password (the first factor – what they know), as well as for an authentication code from their AWS MFA device (the second factor – what they have). All AWS websites that require sign in, such as the AWS Management Console, are integrated with AWS MFA. You can also use AWS MFA together with Amazon S3 Secure Delete for additional protection of your Amazon S3 stored versions.
• AWS API users: You can enforce MFA authentication by adding MFA-related restrictions in IAM policies. To access APIs and resources protected in this way, developers can use temporary security credentials and pass optional MFA parameters in their AWS Security Token Service (STS) API requests (the service that grants temporary security credentials. MFA-validated temporary security credentials can be used to call MFA-protected APIs and resources.

You follow two easy steps:

1. Get an authentication device. You have two options:
   • You can purchase an authentication device that is compatible with AWS MFA from Gemalto, a third party provider, using their website, details here.
   • You can install an AWS MFA compatible application on a device such as your smartphone. See here for a list of applications compatible with different smartphone types.
2. Once you have the authentication device you must activate it. You active an AWS MFA device for your AWS account or your IAM users in the IAM Console. You can also use the IAM CLI to activate it for an IAM user.

AWS does not charge any additional fees for the use of AWS MFA with your AWS account. However, if you want to use a physical authentication device then you will need to purchase an authentication device that is compatible with AWS MFA from Gemalto, a third party provider. For more details, please visit Gemalto’s website.

Yes. With the introduction of AWS Identity and Access Management (IAM), each IAM user can have its own authentication device.

No. The authentication device specifically identifies a single user that owns the authentication device. Each IAM user can have its own authentication device, but users are scoped to an individual AWS account. If you have an TOTP compatible application installed on your smartphone, then you can create multiple virtual MFA devices. Each one of the virtual MFA devices can be used with an individual AWS account or IAM user.

No. AWS MFA relies on knowing a unique secret associated with your authentication device in order to support its use. Because of security constraints that mandate such secrets never be shared between multiple parties, AWS MFA cannot support the use of your existing hardware authentication device. Only a compatible hardware authentication device purchased from Gemalto, a third party provider can be used with AWS MFA.

Gemalto’s customer service will be happy to assist you.

Gemalto’s customer service will be happy to assist you.

Gemalto’s customer service will be happy to assist you.

You simply need to activate the authentication device to enable AWS MFA for your AWS account. Click here to start.

Use the IAM console or the IAM CLI to enable AWS MFA for your IAM users.

A virtual MFA device is an entry created in a TOTP compatible software application that can generate six-digit authentication codes. The software application can run on any hardware device, such as a smartphone.

Virtual MFA devices use the same protocols as the physical MFA devices. Virtual MFA devices are software based and can run on your existing devices such as smartphones. Most virtual MFA applications also allow you to enable more than one virtual MFA device which makes them more convenient than physical MFA devices.

Applications that generate TOTP compliant authentication codes, such as the AWS Virtual MFA application can be used with AWS MFA. We support provisioning virtual MFA devices either automatically scanning a QR code with the devices camera or via manual seed entry in the virtual MFA application.

QR code is an abbreviation of Quick Response code and is a two-dimensional barcode that is readable by dedicated QR barcode readers and most camera telephones. The code consists of black modules arranged in square patterns on a white background. The QR code contains the required security configuration information to provision a virtual MFA device in your virtual MFA application.

A new virtual MFA device can be configured in the IAM console for your IAM users as well as for your AWS account. You can also use the iam-virtualmfadevicecreate command in the IAM CLI or the CreateVirtualMFADevice API to provision new virtual MFA devices under your account. The iam-virtualmfadevicecreate and the CreateVirtualMFADevice API returns the required configuration information, called a seed, to bootstrap the virtual MFA device in your AWS MFA compatible application. You can either grant your IAM users the permissions to call this API directly or perform the initial provisioning for them.

You should treat seed material like any other secret (for example the AWS secret keys and passwords).

Grant the IAM user the permission to call the CreateVirtualMFADevice API. This API can be used to provision new virtual MFA devices.

You can enable AWS MFA for an AWS account and your IAM users in the IAM console. You can also use the IAM CLI or the IAM API to enable AWS MFA for your IAM users.

If you are activating the MFA device with the IAM console then you only need the device. If you are using the IAM CLI or the IAM API then you will need the following:

1. The serial number of the authentication device. The serial number is different for a hardware device or a virtual device:
   • Hardware MFA device - The serial number on the bar-coded label on the back of the device.
   • Virtual MFA device - The serial number is the value returned when running the iam-virtualmfadevicecreate command in the IAM CLI. or when calling the CreateVirtualMFADevice API.
2. Two consecutive authentication codes displayed by the authentication device.

Please contact us for help.

Yes. AWS supports Single Sign-On (SSO) which means that when you sign in to any AWS site you sign in to all AWS sites. This means that if your AWS account or any of your IAM users has an MFA device assigned to them, then they are required to always use this device when they sign in.

Yes. The AWS account and your IAM users will need to have their MFA device with them any time they need to sign in any AWS site.

If the authentication device associated with the AWS account is damaged, lost, stolen, or stops working, you will need to contact us for help with disabling AWS MFA for the account. This will allow you to temporarily sign in to AWS using just the user name and password for the AWS account.

If your IAM users lose or damage their authentication device, it is stolen, or it stops working, you can disable AWS MFA yourself using the IAM console or the IAM CLI.

No, it’s optional. However, you will need to enter an MFA code if you plan to call APIs secured by MFA-protected API access.

If you are calling AWS APIs using your root account or IAM user access keys you do not need to enter an MFA code. For security reasons, AWS recommends that remove access keys from your root account and instead call AWS APIs with IAM users.

Follow these two steps:

1. If you are signing in as an AWS account, sign in as usual with your user name and password when prompted. To sign in as an IAM user, use the account-specific URL and provide your user name and password when prompted.
2. On the next page, enter the six-digit authentication code that appears on your authentication device.

AWS MFA changes the way IAM users access AWS Service APIs only if the account administrator(s) choose to enable MFA-protected API access. Administrators may enable this feature to add an extra layer of security over access to sensitive APIs by requiring that callers authenticate with an AWS MFA device. For more information, see the MFA-protected API access documentation in more detail.

Other exceptions include S3 PUT Bucket versioning, GET Bucket versioning and DELETE Object APIs, which allows you to require that deleting or changing the versioning state of your bucket use an additional authentication code. For more information see the S3 documentation discussing Configuring a Bucket with MFA Delete in more detail.

For all other cases, AWS MFA does not currently change the way you access AWS service APIs.

No. For security reasons, each authentication code can be used only once.

No, this can happen occasionally. AWS MFA relies on the clock in your authentication device being in sync with the clock on our servers. Sometimes, due to environmental factors such as temperature, humidity, and pressure, these clocks can drift apart. If this happens, when you use the authentication device to sign in to access secure pages on the AWS website or the AWS Management Console, we will automatically attempt to re-sync the authentication device by requesting that you provide two consecutive authentication codes (just as you did during activation).

We suggest you try re-syncing the authentication device. If you have already tried to re-sync and are still having trouble signing in, please contact us for help.

If the authentication device is associated with an AWS account, follow these steps:

1. Contact us for help with disabling AWS MFA so you can temporarily access secure pages on the AWS website and the AWS Management Console using just your user name and password.
2. Change your Amazon password in case an attacker has stolen your authentication device and may also have your current password.
3. Purchase a new authentication device from the third party provider Gemalto using their website or provision a new virtual MFA device under your account using the IAM console.
4. Once you have completed the steps above, use the IAM console to activate the authentication device to re-enable AWS MFA for your AWS account.

If the authentication device is associated with an IAM user, you can use the IAM console, IAM CLI or IAM API to remove the MFA device for the IAM user.

If the physical authentication device is associated with an AWS account, follow these steps:

1. Contact us for help with disabling AWS MFA so you can temporarily access secure pages on the AWS website and the AWS Management Console using just your user name and password.
2. Contact the third party provider Gemalto for further assistance with the authentication device.
3. Once you have another authentication device, come back to the AWS website and activate the authentication device to re-enable AWS MFA for your AWS account, just as before.

If the authentication device is associated with an IAM user, you should contact the person who gave you the user name and password for the IAM user.

To disable AWS MFA for your AWS account, you need to deactivate your authentication device using the Security Credentials page. To disable AWS MFA for your IAM users, you need to use the IAM console or the IAM CLI. Currently, IAM users cannot disable AWS MFA themselves.

Yes, you can use AWS virtual MFA in GovCloud. AWS does not currently support hardware MFA devices in GovCloud.

MFA-protected API access is optional functionality that lets account administrators enforce additional authentication for customer-specified APIs by requiring that users prove physical possession of an MFA device. Specifically, it enables administrators to include conditions in their IAM policies that require MFA authentication for selected APIs. Users making calls to those APIs must first have entered a valid MFA code shown on their device.

Previously, customers could require MFA for access to the AWS Management Console, but could not enforce MFA requirements on developers and applications interacting directly with AWS service APIs. MFA-protected API access ensures that IAM policies are universally enforced regardless of access path. As a result, you can now develop your own application that uses AWS and prompts the user for MFA authentication before calling powerful APIs or accessing sensitive resources.

You can get started in two simple steps:

1. Assign an MFA device to your IAM users. You can purchase a hardware key fob or download a free TOTP-compatible application for your smart phone, tablet, or computer. For more information on AWS MFA devices, see here.
2. Enable MFA-protected API access by creating access policies for the IAM users and/or IAM groups that you want to require MFA authentication from. This can be accomplished in the IAM Console, the IAM Command Line Interface (CLI), or the IAM API. To learn more about access policy language syntax, see the access policy language documentation.

Developers and users interact with MFA-protected API access both in the AWS Management Console and at the APIs.

• In the AWS Management Console, any MFA-enabled IAM user must authenticate with their device in order to sign in. Users that do not have MFA will not receive access to MFA-protected APIs and resources.
• At the API level, developers can integrate AWS MFA into their applications to prompt users to authenticate using their assigned MFA devices before calling powerful APIs or accessing sensitive resources. Developers enable this functionality by adding optional MFA parameters (serial number and MFA code) to requests to obtain temporary security credentials (such requests are also referred to as “session requests”). If the parameters are valid, temporary security credentials which track MFA status will be returned. For more information on temporary security credentials, see the temporary security credentials documentation.

MFA-protected API access is available for free to all AWS customers.

MFA-protected API access is supported by all AWS services that support temporary security credentials. For a list of supported services, see the temporary security credentials documentation.

The request to issue temporary security credentials will fail. Temporary security credential requests that specify MFA parameters must provide the correct serial number of the device linked to the IAM user as well as a valid MFA code.

No, MFA-protected API access only controls access for IAM users. Root accounts are not bound by IAM policies, which is why AWS recommends that you create IAM users to interact with AWS service APIs rather than use root account credentials.

Yes, a user must first be assigned a unique virtual or hardware MFA device.

Yes, you can directly attach IAM policies with MFA-related conditions to S3 objects.

Yes, you can directly attach IAM policies with MFA-related conditions to SQS queues.

Yes, you can directly attach IAM policies with MFA-related conditions to SNS topics.

MFA-protected API access and S3 MFA Delete do not interact with each other. S3 MFA Delete currently does not support temporary security credentials. Instead, calls to the S3 MFA Delete API must be made using long term access keys.

Yes, MFA-protected API access works in GovCloud.

Customers will not be able to use MFA-protected API access to control access for federated users. The GetFederatedSession API does not accept MFA parameters. Since federated users can’t authenticate with AWS MFA devices, they will be unable to access resources designated using MFA-protected API access.