AWS: Setting up an IAM User with Multi-Factor Authentication (MFA)

Introduction

When you setup your Amazon Web Services (AWS) account you create a root user that has full privileges in your account. These credentials are not able to be restricted and should be safeguarded. If they fall into the wrong hands someone else will have full control of your account. We all know that credentials should not be shared, but we also know that at times it does happen.

AWS allows you to create up to 5000 users within your account (see IAM Limitations). By default these users have no rights when they are created. But you can grant the user a highly customized set of  rights including full control of the account.

It is a best practice within AWS to immediately setup users through the IAM feature. Included in this is a practice of creating an IAM user for you, the administrator of the account, to use for all of your work. Once this is done you can lock away the root account credentials so no one has to use them and no one else will ever be able to "own" your account. There was a very good presentation on this, and a strong case made for creating yourself an IAM user at a security session at re:Invent 2014 (SEC305 - IAM Best Practices)

Creating an IAM User

To create a user that will have the administrative rights that you need to fully manage the account navigate to the IAM Users page. Click on "Create New Users" and you will be allowed to enter up to five new users at a time. There is an option to create access keys for the users. Access keys are required to make secure calls to the AWS service APIs.

When creating new users you are not prompted to create a password. Once the users are created you can select a user from the list of users and manage information for that user. If the user will need to access the AWS Managment Console you will need to create a password for the account. For our purposes be sure to do this.

When assigning a password you have some of the standard options. You can provide a custom password, or allow the system to generate one for you. You can also force the user to change the password the next time the sign in.

To give the new user administrative rights you also need to attach the "AdministratorAccess" policy to the user. This can be done by selecting the "Attach Policy" button on the user properties page. via a link on the user details page in the AWS Management Console. This will list the policies available within your account and allow you to select up to two policies for the user.

Simply attaching the AdministratorAccess policy will not allow the IAM user to see the billing information. To allow this you will need to be logged into the AWS Management Console as the root user and follow these steps:

1. Navigate to the "Billing and Cost Management" page for your account
2. Select "Account Settings" from the left navigation list
3. Scroll down the page to the "IAM User Access to Billing Information" section
4. Select "Edit" for this section
5. Check the box for "Activate IAM Access"
6. Click on the "Update" button

Once you have created a user you will use this URL to login with that user: http://.signin.aws.amazon.com/console. You can see your specific URL and customize it by visiting the IAM Dashboard page. Below is an image of my page.

IAM Dashboard Page

Add Multi-Factor Authentication

Multi-Factor Authentication (MFA) forces and extra challenge for a user to authenticate themselves. Typically you are challenged with a requirement to provide a username and a password. This is something that you know. Adding MFA also requires you to have something. So you end proving that you both know the correct information and that you have needed evidence.

AWS uses devices for the having part of MFA. There are two commonly used solutions for this. One is software based and the other hardware based. I have setup both for users in my AWS account. I first used a software based solution. Since I currently carry a Windows Phone I installed an application named "Microsoft Authenticator". There are apps that are available for both Android and iPhones as well.

I have also purchased 2 different devices that Amazon uses for hardware solutions. These are devices from Gemalto and are available as a fob that you can easily attach to a key chain and as a credit card sized device that presumably you could carry in a wallet. The credit card token seems like it might not survive a week in my wallet - but I might be wrong. You can find details about these options on the AWS website (MFA Details).

To configure MFA for a user navigate to the user details page and select "Manage MFA Device". Walking through the configuration you will first indicate the type of device you are configuring, either a software or hardware device. You will associate the device with the account. For a software device you AWS will give you a secret key to enter on the device, luckily this can be done by scanning a QRCode with your phones camera. For a hardware device you will enter the devices serial number into AWS. You will then provide two consecutive 6 digit numbers that are generated by your device and the MFA configuration will be complete.

Logging in with MFA

Once you have configured your new user with the administrator policy and setup a password and MFA device navigate to your IAM signin page (it should be at http://.signin.aws.amazon.com/console). The account should already be populated on the page, based on the URL you provided. Enter the username, the password and click on the checkbox indicating that you have an MFA device configured. Then get the current 6 digit key from the MFA device and login.

You are now able to administer your AWS account with your new IAM user.

Windows PowerShell for AWS Commands

Below are the PowerShell commands that would be used to do the work described above.

To create a new IAM user with the username of Mike:

New-IAMUser -UserName Mike

To create a password for the user with the username of Mike:

New-IAMLoginProfile -UserName Mike -Password

To reset the password for the user with the username of Mike:

Update-IAMLoginProfile -UserName Mike -Password

Attach the AdministratorAccess policy to the user with the username of Mike:

Register-IAMUserPolicy -UserName Mike -PolicyArn arn:aws:iam::aws:policy/AdministratorAccess

Enable a hardware MFA device for the user with the username of Mike:

Enable-IAMMFADevice -UserName Mike -SerialNumber -AuthenticationCode1 -AuthenticationCode2

Setting up a software MFA device can be done with PowerShell, but it does require multiple steps and is, in my opinion, not worth it. If you are using a software MFA device I recommend following the instructions above to complete the setup from the AWS Management Console.

I hope this was helpful!

Thoughts on Technical Certifications

I earned my first technical certification in 1996. Since then I have passed a total of 26 Microsoft exams. I have also earned other certifications from other vendors including trainer certifications and Java certification. I realize that there has always been a mixed reaction to certifications in the technical community. It seems that early on certifications on the IT Pro side of the industry was very common, and even a requirement for many jobs. The same level of acceptance has never seemed to exist for developer certifications.

Since this is the case, why have I taken a relatively large number of certification exams, and why am I about to embark on another series of tests? The main push for me has been to give myself a measurement of my learning. I have felt like the exams set a bar of understanding or knowledge on a topic that the vendor feels demonstrates an acceptable level of comprehension of the topic.

One of the complaints that people have about certifications is what has been called the “paper certification”. This is how people refer to those who simply cram information into their heads only long enough to pass an exam. Sometimes this comes from people using various exam cheats that are widely available. I have never used these cheats and I never will. I have taken the path of research, study and hands on experience to prepare myself for the tests I have taken. I have never earned the certifications for others - I've earned them for myself. If they give me an advantage in others eyes that is great, but the real purpose for me is to test my knowledge against the metrics outlined by the vendor. (Update - I just found this Dilbert cartoon that jokes about this kind of situation: http://dilbert.com/strip/2000-08-31)

I have also taken part in the blueprinting and creation of a few certification exams. This has given me better insight into how the vendor sets those metrics and what they mean. Having participated in the process of creating exams I know that there are many opportunities in the exam creation process for picking the wrong things to focus on and measuring skills that do not matter so much in actual usage. However I feel that there are also many checks in place to minimize the number of these “misses” on the exams. There are experts involved in the creation process and they work together to make a final product that they can each be proud of – just like the majority of people who work on software projects. The process, and outcome, are seldom perfect, but the certification can still be useful.

Neudesic has been involved in the Microsoft Cloud (Azure) since before it was publicly announced. I have had exposure to, and worked in Azure since those early days. I earned the first Microsoft Azure certification and ran an Azure focused user group in the Salt Lake City area for a few years.

Recently I had the opportunity to take a class on Amazon Web Services. It was a short class that focused on solutions architecture using AWS. Through this and other study I have had an introduction to many of the features of the Amazon Cloud and am now pursuing the Amazon Certification track.

I am starting with the AWS Certified Solutions Architect – Associate exam. After earning that designation I plan to continue with the Professional certification. The Associate certification is a prerequisite to the Professional level – so it is a mandated path I am following.

For information on the AWS certifications check out this site: https://aws.amazon.com/certification

Watch for some AWS focused posts in the future. And hopefully I’ll put some content together for one or more new Pluralsight courses too.

What are your thoughts on certification? How have you studied for exams in the past? What is your next planned certification?

What Made them the Greatest Generation and can We Be Better Too?

As we mark the 70^th anniversary of V-E Day it is worth thinking about some of the traits of those we call the “greatest generation”. Both of my grandfathers worked in critical support roles for the war effort resulting in neither of them joining the military and directly participating in the war. My dad’s father worked for the rail road, and my mom’s dad worked at the large open pit copper mine in the Salt Lake City area.

I found this story in the USA Today this morning. It is a great tribute to a father who did serve and should be honored: Voices: My dad was a fitting member of the "Greatest Generation". I particularly liked the points where the author recounts her dad saying “I’ll do this for you”.

I don’t want to be too simplistic in my assessment, but I feel that attitude was very common in that generation, but is being lost as we move further away from those times. I mentioned my grandfathers not serving at the beginning of this article – they and many others of that generation had that attitude too. Those were times that neighbors knew each other and watched out for each other. They seem to have truly felt, and showed, a love for one and other and a desire to help and serve each other.

I was honored last weekend to meet an elder gentleman and have a brief conversation with him and his wife. I learned that he had just celebrated his 95^th birthday and that he had served in both World War II and in the Korean conflict. His wife proudly let my son and I know that he had retired from the US Army as a full Colonel. He still looked fit and full of life, she was bent over and walking slowly with the help of a walker. I met him as he was serving her, helping her into a restaurant.

We met Colonel “Pete” and his wife as I was rushing out of a restaurant. I had taken my youngest to eat after his baseball games and I was late for a meeting for a service trip that my daughter, wife and I are going on later this year. I was in a hurry and walked past them as I was heading for the truck. They were about 10 yards from the door to the restaurant. My son stopped and held the door open for them even though they were a ways away and moving slowly. When I stopped Pete and I began to talk.

It was a wonderful experience to meet him and learn a little about his life and his family. It was great to see his wife so proud of the man she had married so many years before. My son gave me an opportunity that I would have just rushed by. Colonel Pete, I did not get his last name, was very impressed by my son performing that little act of service, simply holding the door open. He commented on what a fine young man he must be.

I must admit that nothing makes me more proud of my children that to hear people comment on how polite and caring each of them are. They excel at many different things and I am proud of them for that. But every time I’ve heard a teacher in parent teacher conferences talk about how they treat others I am filled with pride. I believe that is what really counts, that is what show’s their true character.

I’d like to know what the world would be like if more of us, more often took time to meet and serve strangers in our daily activities. It is so easy to be in a rush today. It can cause us to miss great opportunities. I may never see or talk with Colonel Pete or his wife again, but my life is better for the time I did. I challenge you to seek out opportunities in the next week to meet and serve someone. It may change their life, and I believe it can certainly change yours! Let’s try to emulate some of those traits that were so well demonstrated by our “greatest generation”

What traits do you see in others that you believe emulating would make us better?