Introduction
Amazon Web Services provides a very robust permissions and policy management system through IAM, or Identity and Access Management. One step further that a corporate administrator can go to help protect some of their most restricted accounts.
Multi-Factor Authentication, also known as Two-Factor Authentication, is an added layer or protection beyond the typical username and password. Typical devices utilize secure algorithms to provide the user with a rotating code which they would need to supply in addition to their username and password. Most commonly, this is used throughout the industry by way of RSA Tokens and Google Authenticator to do anything from restrict access to VPN to add a layer of security to Virtual Desktop and Email environments.
Mult-Factor authentication is typically achieved by way of either hard or soft tokens (small pieces of hardware with a rotating LED display or smartphone apps). AWS MFA does support both. It insure that, even if your password is compromised, any would-be hacker would also need physical access to either your phone or hard token. They cannot login without all three pieces of information
More information about how to obtain one can be found here.
For this exercise, we will be setting up MFA on a mock-user’s Administrator account with IAM. We will be using a soft token, Google Authenticator on an iPhone.
In this blog, we’ll explore a few basic concepts. The first will be to walk you through “How” to secure an account using MFA. The second will be a quick tour through IAM policies and how to leverage them to REQUIRE users to have authenticated via MFA before executing specific actions.
Download and install Authenticator / Google Authenticator using the appropriate link below:
iPhone/iPad: https://itunes.apple.com/us/app/google-authenticator/id388497605?mt=8
Android Device / Blackberry: http://m.google.com/authenticator
Windows Phone 8: http://www.windowsphone.com/en-us/store/app/authenticator/e7994dbc-2336-4950-91ba-ca22d653759b
Configure IAM User to use MFA
Now that your app is installed, our next step is to associate your IAM account and token with your virtual MFA Device. To do this, please log in and navigate to the IAM user management page. If setting up MFA with an account which does not have IAM access, an administrator will need assist you with these next steps:
https://console.aws.amazon.com/iam/home?#users
Check the box next to the user for whom you would like to add an MFA and navigate to the Security Credentials tab at the bottom of the screen.

Click on the “Manage MFA Device” button in the bottom right. In the dialog box that appears, select “A virtual MFA device” to continue.
You will be presented with the following screen. It contains a QR code to easily load the token into your smartphone app. For those smartphones which may not be equipped with a camera (as is the case with some Blackberrys), a “secret configuration key” can be unhidden and typed in manually.
If attempting to enable this for a remote user without direct IAM access, you can use the Windows Snipping Tool to email out the QR code or copy/paste the secret configuration key.
When prompted to enter account details, click on the “Scan Barcode” button to populate. You’re immediately taken to a page with your first rotating code.
Enter in two consecutive codes into Authentication Code 1 and Authentication Code 2 and click Continue to move on.
You can see confirmation of the association in the Security Credentials tab.
If you go ahead and log out, we can test this again by navigating to your company’s sign-in page. Enter your username and password per usual.
Upon clicking the sign-on link, you’ll be prompted a second time for the code on your MFA device. Punch it in, and you’re good to go!
Forcing users to use MFA to execute certain actions
As of yet, AWS does not provide a global setting by which to require MFA. That said, you can add a very quick condition to require Multi-Factor Authentication at a group level. This can apply to specific actions, or as a conditional across the board.
This insure that those Read-Write or Administrator Groups never accidently have users placed in them who aren’t already setup with MFA. The condition itself is simple – it requires the user to have logged in using MFA within the last x number of second (in this example, 300 seconds or 5 minutes).
This can be added to any existing policy by including, in the condition clause, a statement to the following effect:
"Condition":{
"NumericLessThan":{"aws:MultiFactorAuthAge":"300"}
}
It can also be added via the IAM Policy Generator using a Condition statement:
The beauty of this is that it can be applied at a very high level, or only to certain subsets of actions. For example, you could set up a policy allowing users to read from and download objects from their favorite AWS S3 Bucket but the following tweak at the end of the policy would require them to be setup with MFA in order to delete.
It’s a great way to roll out MFA gently and only to users who care for it or need access to certain functionality.
A sample statement illustrating this concept is as follows:
"Statement":[{
"Action":["s3:Delete*"],
"Effect":"Allow",
"Resource":["*"],
"Condition":{
"NumericLessThan":{"aws:MultiFactorAuthAge":"300"}
}
}
]
The usefulness of this, as with all AWS IAM Policies is that their use can be automatic, delivered programmatically, and this can apply to more than just flesh-and-blood users. In his blog,Jim Scharf discusses securing access via API calls using MFA or MFA-Protected API Access.
I encourage all of those interested to give it a read - it can be found here.
Interested in learning more about Amazon Web Services? Feel free to reach out to us - We're happy to help!