AWS: Setting up an IAM User with Multi-Factor Authentication (MFA)

Introduction

When you setup your Amazon Web Services (AWS) account you create a root user that has full privileges in your account. These credentials are not able to be restricted and should be safeguarded. If they fall into the wrong hands someone else will have full control of your account. We all know that credentials should not be shared, but we also know that at times it does happen.

AWS allows you to create up to 5000 users within your account (see IAM Limitations). By default these users have no rights when they are created. But you can grant the user a highly customized set of  rights including full control of the account.

It is a best practice within AWS to immediately setup users through the IAM feature. Included in this is a practice of creating an IAM user for you, the administrator of the account, to use for all of your work. Once this is done you can lock away the root account credentials so no one has to use them and no one else will ever be able to "own" your account. There was a very good presentation on this, and a strong case made for creating yourself an IAM user at a security session at re:Invent 2014 (SEC305 - IAM Best Practices)

Creating an IAM User

To create a user that will have the administrative rights that you need to fully manage the account navigate to the IAM Users page. Click on "Create New Users" and you will be allowed to enter up to five new users at a time. There is an option to create access keys for the users. Access keys are required to make secure calls to the AWS service APIs.

When creating new users you are not prompted to create a password. Once the users are created you can select a user from the list of users and manage information for that user. If the user will need to access the AWS Managment Console you will need to create a password for the account. For our purposes be sure to do this.

When assigning a password you have some of the standard options. You can provide a custom password, or allow the system to generate one for you. You can also force the user to change the password the next time the sign in.

To give the new user administrative rights you also need to attach the "AdministratorAccess" policy to the user. This can be done by selecting the "Attach Policy" button on the user properties page. via a link on the user details page in the AWS Management Console. This will list the policies available within your account and allow you to select up to two policies for the user.

Simply attaching the AdministratorAccess policy will not allow the IAM user to see the billing information. To allow this you will need to be logged into the AWS Management Console as the root user and follow these steps:

1. Navigate to the "Billing and Cost Management" page for your account
2. Select "Account Settings" from the left navigation list
3. Scroll down the page to the "IAM User Access to Billing Information" section
4. Select "Edit" for this section
5. Check the box for "Activate IAM Access"
6. Click on the "Update" button

Once you have created a user you will use this URL to login with that user: http://.signin.aws.amazon.com/console. You can see your specific URL and customize it by visiting the IAM Dashboard page. Below is an image of my page.

IAM Dashboard Page

Add Multi-Factor Authentication

Multi-Factor Authentication (MFA) forces and extra challenge for a user to authenticate themselves. Typically you are challenged with a requirement to provide a username and a password. This is something that you know. Adding MFA also requires you to have something. So you end proving that you both know the correct information and that you have needed evidence.

AWS uses devices for the having part of MFA. There are two commonly used solutions for this. One is software based and the other hardware based. I have setup both for users in my AWS account. I first used a software based solution. Since I currently carry a Windows Phone I installed an application named "Microsoft Authenticator". There are apps that are available for both Android and iPhones as well.

I have also purchased 2 different devices that Amazon uses for hardware solutions. These are devices from Gemalto and are available as a fob that you can easily attach to a key chain and as a credit card sized device that presumably you could carry in a wallet. The credit card token seems like it might not survive a week in my wallet - but I might be wrong. You can find details about these options on the AWS website (MFA Details).

To configure MFA for a user navigate to the user details page and select "Manage MFA Device". Walking through the configuration you will first indicate the type of device you are configuring, either a software or hardware device. You will associate the device with the account. For a software device you AWS will give you a secret key to enter on the device, luckily this can be done by scanning a QRCode with your phones camera. For a hardware device you will enter the devices serial number into AWS. You will then provide two consecutive 6 digit numbers that are generated by your device and the MFA configuration will be complete.

Logging in with MFA

Once you have configured your new user with the administrator policy and setup a password and MFA device navigate to your IAM signin page (it should be at http://.signin.aws.amazon.com/console). The account should already be populated on the page, based on the URL you provided. Enter the username, the password and click on the checkbox indicating that you have an MFA device configured. Then get the current 6 digit key from the MFA device and login.

You are now able to administer your AWS account with your new IAM user.

Windows PowerShell for AWS Commands

Below are the PowerShell commands that would be used to do the work described above.

To create a new IAM user with the username of Mike:

New-IAMUser -UserName Mike

To create a password for the user with the username of Mike:

New-IAMLoginProfile -UserName Mike -Password

To reset the password for the user with the username of Mike:

Update-IAMLoginProfile -UserName Mike -Password

Attach the AdministratorAccess policy to the user with the username of Mike:

Register-IAMUserPolicy -UserName Mike -PolicyArn arn:aws:iam::aws:policy/AdministratorAccess

Enable a hardware MFA device for the user with the username of Mike:

Enable-IAMMFADevice -UserName Mike -SerialNumber -AuthenticationCode1 -AuthenticationCode2

Setting up a software MFA device can be done with PowerShell, but it does require multiple steps and is, in my opinion, not worth it. If you are using a software MFA device I recommend following the instructions above to complete the setup from the AWS Management Console.

I hope this was helpful!