AWS Identity and Access Management (IAM) | Multi-Factor Authentication Flashcards
Are there any default quota limits associated with IAM?
Multi-Factor Authentication
AWS Identity and Access Management (IAM) | Security, Identity & Compliance
Yes, by default your AWS account has initial quotas set for all IAM-related entities. For details see Limitations on IAM Entities and Objects.
These quotas are subject to change. If you require an increase, you can access the Service Limit Increase form via the Contact Us page, and choose IAM Groups and Users from the Limit Type drop-down list.
What is AWS MFA?
Multi-Factor Authentication
AWS Identity and Access Management (IAM) | Security, Identity & Compliance
AWS multi-factor authentication (AWS MFA) provides an extra level of security that you can apply to your AWS environment. You can enable AWS MFA for your AWS account and for individual AWS Identity and Access Management (IAM) users you create under your account.
How does AWS MFA work?
Multi-Factor Authentication
AWS Identity and Access Management (IAM) | Security, Identity & Compliance
AWS MFA uses an authentication device that continually generates random, six-digit, single-use authentication codes. There are two primary ways to authenticate using an AWS MFA device:
AWS Management Console users: When a user with MFA enabled signs in to an AWS website, they are prompted for their user name and password (the first factor–what they know), and an authentication code from their AWS MFA device (the second factor–what they have). All AWS websites that require sign-in, such as the AWS Management Console, fully support AWS MFA. You can also use AWS MFA together with Amazon S3 secure delete for additional protection of your S3 stored versions.
AWS API users: You can enforce MFA authentication by adding MFA restrictions to your IAM policies. To access APIs and resources protected in this way, developers can request temporary security credentials and pass optional MFA parameters in their AWS Security Token Service (STS) API requests (the service that issues temporary security credentials). MFA-validated temporary security credentials can be used to call MFA-protected APIs and resources.
How do I help protect my AWS resources with MFA?
Multi-Factor Authentication
AWS Identity and Access Management (IAM) | Security, Identity & Compliance
Follow two easy steps:
- Get an authentication device. You have two options:
Purchase a hardware device from Gemalto, a third-party provider.
Install a virtual MFA–compatible application on a device such as your smartphone.
Visit the AWS MFA page for details about how to acquire a hardware or virtual MFA device.
- After you have an authentication device, you must activate it in the IAM console. You can also use the IAM CLI to activate the device for an IAM user.
Is there a fee associated with using AWS MFA?
Multi-Factor Authentication
AWS Identity and Access Management (IAM) | Security, Identity & Compliance
AWS does not charge any additional fees for using AWS MFA with your AWS account. However, if you want to use a physical authentication device then you will need to purchase an authentication device that is compatible with AWS MFA from Gemalto, a third party provider. For more details, please visit Gemalto’s website.
Can I have multiple authentication devices active for my AWS account?
Multi-Factor Authentication
AWS Identity and Access Management (IAM) | Security, Identity & Compliance
Yes. Each IAM user can have its own authentication device. However, each identity (IAM user or root account) can be associated with only one authentication device.
Can I use my authentication device with multiple AWS accounts?
Multi-Factor Authentication
AWS Identity and Access Management (IAM) | Security, Identity & Compliance
No. The authentication device or mobile phone number is bound to an individual AWS identity (IAM user or root account). If you have a TOTP-compatible application installed on your smartphone, you can create multiple virtual MFA devices on the same smartphone. Each one of the virtual MFA devices is bound to a single identity, just like a hardware device. If you dissociate (deactivate) the authentication device, you can then reuse it with a different AWS identity. The authentication device cannot be used by more than one identity simultaneously.
I already have a hardware authentication device from my place of work or from another service I use, can I re-use this device with AWS MFA?
Multi-Factor Authentication
AWS Identity and Access Management (IAM) | Security, Identity & Compliance
No. AWS MFA relies on knowing a unique secret associated with your authentication device in order to support its use. Because of security constraints that mandate such secrets never be shared between multiple parties, AWS MFA cannot support the use of your existing hardware authentication device. Only a compatible hardware authentication device purchased from Gemalto can be used with AWS MFA.
Purchasing an MFA Device
I’m having a problem with an order for an authentication device using the third-party provider Gemalto’s website. Where can I get help?
Multi-Factor Authentication
AWS Identity and Access Management (IAM) | Security, Identity & Compliance
Gemalto’s customer service can assist you.
I received a defective or damaged authentication device from the third party provider Gemalto. Where can I get help?
Multi-Factor Authentication
AWS Identity and Access Management (IAM) | Security, Identity & Compliance
Gemalto’s customer service can assist you.
I just received an authentication device from the third party provider Gemalto. What should I do?
Multi-Factor Authentication
AWS Identity and Access Management (IAM) | Security, Identity & Compliance
You simply need to activate the authentication device to enable AWS MFA for your AWS account. See the IAM console to perform this task.
Provisioning a Virtual MFA Device
What is a virtual MFA device?
Multi-Factor Authentication
AWS Identity and Access Management (IAM) | Security, Identity & Compliance
A virtual MFA device is an entry created in a TOTP compatible software application that can generate six-digit authentication codes. The software application can run on any compatible computing device, such as a smartphone.
What are the differences between a virtual MFA device and physical MFA devices?
Multi-Factor Authentication
AWS Identity and Access Management (IAM) | Security, Identity & Compliance
Virtual MFA devices use the same protocols as the physical MFA devices. Virtual MFA devices are software based and can run on your existing devices such as smartphones. Most virtual MFA applications also allow you to enable more than one virtual MFA device, which makes them more convenient than physical MFA devices.
Which virtual MFA applications can I use with AWS MFA?
Multi-Factor Authentication
AWS Identity and Access Management (IAM) | Security, Identity & Compliance
You can use applications that generate TOTP-compliant authentication codes, such as the Google Authenticator application, with AWS MFA. You can provision virtual MFA devices either automatically by scanning a QR code with the device’s camera or by manual seed entry in the virtual MFA application.
Visit the MFA page for a list of supported virtual MFA applications.
What is a QR code?
Multi-Factor Authentication
AWS Identity and Access Management (IAM) | Security, Identity & Compliance
A QR code is a two-dimensional barcode that is readable by dedicated QR barcode readers and most smartphones. The code consists of black squares arranged in larger square patterns on a white background. The QR code contains the required security configuration information to provision a virtual MFA device in your virtual MFA application.
How do I provision a new virtual MFA device?
Multi-Factor Authentication
AWS Identity and Access Management (IAM) | Security, Identity & Compliance
You can configure a new virtual MFA device in the IAM console for your IAM users as well as for your AWS root account. You can also use the aws iam create-virtual-mfa-device command in the AWS CLI or the CreateVirtualMFADevice API to provision new virtual MFA devices under your account. The aws iam create-virtual-mfa-device and the CreateVirtualMFADevice API return the required configuration information, called a seed, to configure the virtual MFA device in your AWS MFA compatible application. You can either grant your IAM users the permissions to call this API directly or perform the initial provisioning for them.
How should I handle and distribute the seed material for virtual MFA devices?
Multi-Factor Authentication
AWS Identity and Access Management (IAM) | Security, Identity & Compliance
You should treat seed material like any other secret (for example the AWS secret keys and passwords).
How can I enable an IAM user to manage virtual MFA devices under my account?
Multi-Factor Authentication
AWS Identity and Access Management (IAM) | Security, Identity & Compliance
Grant the IAM user the permission to call the CreateVirtualMFADevice API. You can use this API to provision new virtual MFA devices.
SMS MFA
Can I still request preview access to the SMS MFA?
Multi-Factor Authentication
AWS Identity and Access Management (IAM) | Security, Identity & Compliance
We are no longer accepting new participants for the SMS MFA preview. We encourage you to use MFA on your AWS account by using either a hardware or virtual MFA device.
How can I begin using the SMS option during the preview?
Multi-Factor Authentication
AWS Identity and Access Management (IAM) | Security, Identity & Compliance
For existing SMS MFA participants, you can navigate to the IAM console and enable SMS MFA for IAM users. The process involves entering a phone number for each IAM user. Then, when the IAM user signs in to the AWS Management Console, the user receives a six-digit security code via a standard SMS text message and must enter it when signing in.
Enabling AWS MFA Devices
Where do I enable AWS MFA?
Multi-Factor Authentication
AWS Identity and Access Management (IAM) | Security, Identity & Compliance
You can enable AWS MFA for an AWS account and your IAM users in the IAM console, the AWS CLI, or by calling the AWS API.
What information do I need to activate a hardware or virtual authentication device?
Multi-Factor Authentication
AWS Identity and Access Management (IAM) | Security, Identity & Compliance
If you are activating the MFA device with the IAM console then you only need the device. If you are using the AWS CLI or the IAM API then you need the following:
- The serial number of the authentication device. The format of the serial number depends on whether you are using a hardware device or a virtual device:
- Hardware MFA device: The serial number is on the bar-coded label on the back of the device.
- Virtual MFA device: The serial number is the Amazon Resource Name (ARN) value returned when you run the iam-virtualmfadevicecreate command in the AWS CLI or call the CreateVirtualMFADevice API. - Two consecutive authentication codes displayed by the authentication device.
My authentication device seems to be working normally, but I am not able to activate it. What should I do?
Multi-Factor Authentication
AWS Identity and Access Management (IAM) | Security, Identity & Compliance
Please contact us for help.
Using AWS MFA
If I enable AWS MFA for my AWS root account or my IAM users, do they always have to use an authentication code to sign in to the AWS Management Console?
Multi-Factor Authentication
AWS Identity and Access Management (IAM) | Security, Identity & Compliance
Yes. The AWS root credential user and IAM users must have their MFA device with them any time they need to sign in to any AWS website.
If your MFA device is lost, damaged, stolen, or not working, you can sign in using alternative factors of authentication, deactivate the MFA device, and activate a new device. As a security best practice, we recommend that you change your root account’s password.
With virtual and hardware MFA, if your IAM users lose or damage their authentication device, or if it is stolen or stops working, you can disable AWS MFA yourself by using the IAM console or the AWS CLI.
