AWS Security Blog
A Convenient New Hardware MFA Form Factor
Is your key chain too full for yet another key fob? Ever find yourself locked out of AWS because you didn’t have your key chain on hand? Gemalto, a third-party provider, has just released a new multi-factor authentication (MFA) device in a convenient “credit card” form factor that fits comfortably into a wallet. It works like a traditional MFA one-time password (OTP) device—you follow the same easy setup steps, and you simply tap the button on the card to display the authentication code.
If you haven’t yet activated AWS MFA, now is a great time to do so. It’s one of the simplest ways to help significantly improve the security of your AWS account. With AWS MFA enabled for a user, when the user signs in to an AWS website, he or she will be prompted not only for a username and password (the first factor – what they know), but also well as for an authentication code from their AWS MFA device (the second factor – what they have).
MFA is easy to set up. All you need is an MFA device, like the traditional fob-style device or the new credit-card-style device. Alternatively, you can use a virtual MFA device, which is software that runs on a phone or tablet. In the AWS Management Console, a wizard walks you through associating the device with your AWS account or with an AWS Identity and Access Management (IAM) user. You can find the details in the AWS IAM documentation.
Who should use AWS MFA?
AWS security best practice is to require all highly privileged users to sign in with MFA. This includes:
- Your AWS root account —Because your AWS root account has unrestricted permissions to your AWS resources, we recommend that you lock it down with MFA and store the MFA device in a secure place, such as a safe. We recommend that you don’t use your account for day-to-day access. Instead, create an IAM user for yourself, give that IAM user administrative privileges, and use that IAM user for all your work.
- IAM users – Depending on the permissions assigned to an IAM user, it can have admin-level privileges similar to root or be limited to access a single service or resource. Just as with root accounts, best practice is to secure IAM user login with MFA if your IAM user is highly privileged.
What else can AWS MFA do?
AWS MFA helps secure sign-in access to the AWS Management Console, but it’s capable of much more, including:
- MFA-protected API access – You can enforce MFA for programmatically calling AWS APIs.
- Cross-account access – You can enforce MFA when IAM users from one AWS account make programmatic requests for resources in a different account.
- S3 Versioning – S3 Versioning enables you to revert to older versions of an S3 object, which helps provide protection against accidental or malicious deletion. You can configure S3 Versioning to require MFA in order to suspect or reactivate versioning, or for permanently deleting an object.
If you have questions about using MFA, please post them to the IAM Forum.