Open In App

How to Enable MFA in AWS?

Last Updated : 15 Apr, 2025
Comments
Improve
Suggest changes
Like Article
Like
Report

In today's digital landscape, ensuring the security of your cloud infrastructure is paramount. One effective way to bolster security is by implementing Multi-Factor Authentication (MFA) in AWS. Multi-factor authentication adds an additional layer of protection by requiring users to provide two or more verification factors to gain access to their AWS accounts, making it significantly harder for unauthorized individuals to compromise your system so it's just adding an extra layer of protection on top of your user name and password. If you want to know more about MFA you can follow the following article.


Terminologies

Before diving into the steps for enabling Multi-Factor Authentication in AWS, let's understand some primary terminologies:

  • Multi-Factor Authentication (MFA): A security system that requires more than one method of authentication to verify the user's identity for a login or other transaction. This typically involves something you know (password) and something you have (a mobile device or hardware token or fingerprint).
  • AWS Identity and Access Management (IAM): A service that helps you securely control access to AWS services and resources for your users. With IAM, you can create and manage AWS users and groups, and use permissions to allow and deny their access to AWS resources.
  • Virtual MFA Device: A software-based authentication method that uses a virtual device, like an app on your smartphone, to generate time-based one-time passwords (TOTP) for MFA . Examples for Virtual MFA device is Google Authenticator ,Microsoft Authenticator.
  • Hardware MFA Device: A physical device that generates TOTP for MFA. This is a dedicated hardware device provided by AWS or third-party vendors. Example Gemalto.
  • U2F Security Key : Universal 2nd Factor (U2F) is a hardware-based authentication method that provides a secure way to protect your AWS accounts. U2F security keys are small USB or NFC devices that you physically insert into your computer or tap on a supported device to complete the authentication process. An example for U2F device is YubiKey.

Step-by-Step Process to Enable MFA in AWS

Enabling MFA in AWS is a straightforward process that can be broken down into a few key steps:

Step 1: Sign in to the AWS Management Console

Navigate to the AWS Management Console at AWS Console.

Log in using your AWS root account credentials. If you are an IAM user, you need sufficient privileges to manage MFA settings.

login
Sign In

Step 2: Access the IAM Dashboard

Once logged in, locate the IAM service from the AWS Management Console. This can be found under Security, Identity, & Compliance. Click on Users in the IAM dashboard to see a list of IAM users associated with your account.

IAM_Dashboard
IAM Dashboard

Step 3: Select the User for MFA

Choose the specific user for whom you want to enable MFA. On the user summary page, click on the Security credentials tab.

Step 4: Manage MFA Device

Under the Multi-Factor Authentication (MFA) section, click on Manage.

You will be prompted to choose between a virtual MFA device or U2F Security Key or a hardware MFA device. For U2F security key or Hardware MFA device you require special hardware devices like USB , Gemalto or YubiKey . That's why we are going with virtual MFA device.

choose_IAM
Manage MFA Device

Step 5: Set Up Virtual MFA Device (Using AWS Virtual MFA App)

Install an MFA App: If you choose a virtual MFA device, you will need an app like Google Authenticator, Authority, or the AWS Virtual MFA app on your smartphone.

Activate the Device: Open the MFA app and use it to scan the QR code provided by AWS. Alternatively, you can manually enter the secret key.

scan_QR
Scan QR

Validate: The MFA app will start generating 6-digit codes. Enter two consecutive codes into the AWS console to validate the device.

validate
Validate MFA codes

Finish: Once validated, the MFA is enabled for the user.

confirm
Successfully assigned virtual MFA

Step 6: Confirm and Test

After successfully enabling MFA, ensure that it works by signing out and logging back in. You will be prompted to enter the MFA code in addition to your password. You will receive authentication code on your mobile device and after entering MFA code you will be logged in.

test
Testing MFA code

Example For MFA in AWS

For instance, imagine a scenario where your root account credentials have been compromised. Without MFA enabled , the intruder could access your AWS resources, causing potential damage. However, with MFA enabled, they would also need access to your MFA device, providing a critical line of defense.

Conclusion

Enabling MFA in AWS is a crucial step in securing your cloud environment. By following the steps outlined above, you can ensure that your AWS accounts are protected against unauthorized access. Always remember to test your MFA setup after enabling it to confirm everything is functioning correctly.


Next Article
Article Tags :

Similar Reads