Getting Started with AWS (Part 7)

If you would like to read the other parts in this article series please go to:

Introduction

Let’s briefly recap what we’ve learned so far in this series of articles. In Part 1 we described the free usage tier of Amazon Web Services (AWS) and how you can sign up for it so you can test drive AWS for 12 months. Then in Part 2 we examined the various management and development tools provided by Amazon for creating and managing cloud resources on AWS. In Part 3 we described some steps you can use to secure your AWS account in case your account becomes compromised. Part 4 introduced us to the AWS Identity and Access Management (IAM), a web service that enables you to create and manage users and assign user permissions for your AWS cloud environment. Then in Part 5 we learned about the features of the IAM Console and we created a friendly alias for our AWS account ID to make sure that we haven’t generated any access keys for our AWS root account. Part 6 then demonstrated how you can create a new user that has administrator privileges so you can use this user instead of your root account for managing your AWS environment. This present article examines how to implement multi-factor authentication (MFA) for adding an extra layer of protection to your AWS root account and IAM user accounts. We’ll also consider the advantages and disadvantages of using MFA for protecting AWS accounts–especially your root account.

Understanding AWS multi-factor authentication

Let’s start off by logging on to the AWS console in our AWS Free Tier environment using the new admin-level IAM user named Bob_Smith that we created previously in Part 6 of this series. To do this, we launch our web browser and open the following URL:

https://<alias>.signin.aws.amazon.com/console

where <alias> is the friendly name we created for our AWS account in Part 5 of this series. If you recall, we created an alias so we won’t have to remember our 12 digit account ID when we need to sign into the AWS console. Open the above URL and enter Bob’s credentials into the sign-in dialog like this:

Image
Figure 1: Signing in to the AWS console.

This takes you to the Dashboard page for your AWS account which at this point in our series should look something like this:

Image
Figure 2: Dashboard page of AWS account.

Tip:
If you’re taken to the AWS Console Home page instead, click the Identity & Access Management icon in the Administration & Security section of the Console Home page.

Before we get to talking about MFA however, let me first point out that there may be slight differences between what you see on your own Dashboard page and what’s shown in Figure 2 above. For example, between writing Part 6 and Part 7 of this series, Amazon changed the name of the Password Policy page to Account Settings. This is something you are probably used to by now if you’ve been using cloud services from any service provider, whether Amazon, Microsoft, or Google: namely, that the provider is always making changes to the user interface of their administration consoles. Sometimes the changes are incremental, like changing the name of a page or tab or setting. Other times the changes can be a bit of a shock, for example when they change the entire look and feel of how their admin console works. What’s the answer to this? Get used to it. If you want to utilize cloud services for your organization, expect constant change in some way or fashion. But another thing to notice is more important as we’ll see next.

Now let’s return to the topic of MFA. Notice in Figure 2 that the Dashboard page is informing us that we still have one final security task to perform before we’ve finished setting up our new AWS environment. The task still to be performed is to activate MFA on our root account (the Amazon account you used to first sign up for the AWS Free Tier). MFA is a feature of AWS that allows you to add an extra layer of protection to help ensure the security of your AWS root account or an IAM user account by requiring that the user of the account enters a unique authentication code generated by an authentication device each time you try to access the AWS console. In a similar fashion, MFA can also be used as an extra layer of protection for applications and services attempting to access AWS service APIs by requiring that the application specify a similar unique authentication code, again generated by an authentication device, each time the application or service attempts to access an AWS service API. For the rest of this article however, we’ll focus on how MFA can be used to help protect your AWS root account and any IAM user accounts in your environment.

Types of MFA devices

There are two basic types of devices that can be used to generate the unique authentication code needed to implement MFA for an AWS environment:

  • Physical (or hardware) MFA devices – These include key fobs and similar hardware devices the user can carry on his or her person and use to generate the authentication code they will need to supplement their password in order to log onto the AWS console. Amazon AWS currently supports two physical MFA devices produced by Gemalto which is a Dutch company that provides identity and access solutions for government agencies, financial services, and other industry sectors where digital security is paramount.
  • Virtual MFA devices – These are special applications you can install on your computer, tablet or smartphone and then used to generate the authentication code needed. Supported virtual MFA applications depend on the platform you are using. For example, you can use google Authenticator if you have an iPhone, an Android device, or a Blackberry. More information on supported virtual MFA applications can be found here.

Using an MFA device

Figure 3 shows one of the Gemalto MFA devices, which is designed to be used only with AWS. You can purchase this device through the Gemalto Webstore for AWS Users. The devices are not expensive and fulfillment is performed by Amazon.

Let’s look at one of these devices, the Ezio Time-based 6-digit Token for Use with Amazon Web Services Only. Basically, this device is a token that looks a lot like a key fob for an automobile. As illustrated on the Gemalto website, the device has a button on one side and an LCD display which displays six digits:

Image
Figure 3: The Ezio Time-based 6-digit Token for Use with Amazon Web Services Only from Gemalto

The way this device works is that you press the button and it generates the unique 6-digit authentication to log onto AWS using your MFA-enabled user account. The authentication code that is generated can only be used once (this is known as a one-time passcode or OTP) and is only valid for 30 seconds. Once you’ve enabled the device in order to implement MFA for either your AWS root account or the IAM user account you are using, logging on to the AWS console changes from simply entering your credentials (username and password) to this:

  1. Enter your username and password on the AWS login page
  2. Press the button on your MFA device to generate a new 6-digit authentication code
  3. Select the checkbox “I have an MFA Token” and type the authentication code in the MFA Code textbox, then click Sign In:

Image
Figure 4: Logging on using an MFA device.

Note that you only have 30 seconds to use the authentication code your MFA device has generated. Also, if you make a mistake entering the code in the above dialog, you’ll need to press the button again to generate a new code.

Enabling an MFA device for a user account

How does AWS know that the authentication code your MFA device generated is the correct one for your user account? The answer is that you first need to enable the device for the user you want to enable MFA for in your AWS environment. For example, let’s say that we want to enable our MFA device for user Bob_Smith in our AWS environment. To do this, we click Identity & Access Management in the AWS console and then we select the Users page:

Image
Figure 5: Step 1 of enabling an MFA device for a user account.

Next, click the name of the user (here Bob_Smith) for which you want to enable the MFA device to be used. On the page detailing the user’s properties, scroll down to the section called Security Credentials:

Image
Figure 6: Step 2 of enabling an MFA device for a user account.

In the Security Credentials section shown above, click Manage MFA Device to open the Manage MFA Device dialog:

Image
Figure 7: Step 3 of enabling an MFA device for a user account.

In the Manage MFA Device page shown above, select the type of MFA device the user will use, and then click Next Step:

Image
Figure 8: Step 4 of enabling an MFA device for a user account.

In the Manage MFA Device page shown above, type the serial number for your device (here we’re assuming that the user will use a physical or hardware MFA device). For the Gemalto device being used here, the serial number can be found on the back of the device:

Image
Figure 9: The back side of the Ezio Time-based 6-digit Token for Use with Amazon Web Services Only from Gemalto

Now press the button on the device and type the authentication code generated in the Authentication Code 1 textbox shown in Figure 8. Press the button again and type the second authentication code generated in the Authentication Code 2 textbox in the figure. Then to complete the process, click Next Step and then click Associate MFA. If you made a mistake typing the serial number of your device, an error message will appear saying that the device you specified doesn’t exist, so type everything carefully.

Should you use MFA for your root account?

MFA devices like the Gemalto one shown above can be of great help in protecting your AWS account from being abused. In many environments, such as the financial sector, governments, or military, two-factor authentication is a de facto requirement to ensure security when accessing sensitive sites and other corpnet resources. But is it a good idea to enable an MFA device for your AWS root account?

The Dashboard page of IAM shown previously in Figure 2 clearly suggests that activating MFA on your root account is one of the essential security steps you should perform when you initially configure your AWS environment. But enabling MFA for your root account can end up causing problems. If you go to the Amazon page where the Gemalto device is listed and read the customer reviews you’ll see that several reviewers have complained that after a period of time using it, their device stopped working. This may have been caused by misuse on the user’s part, but regardless of the cause the effect on the user was annoying to say the least for it prevented them from logging on to AWS using their root account. As a result, the user had to contact AWS customer service and ask them to deactivate the MFA device so the user could log on to AWS again without using the device. From what I’ve read, this can be a tedious process where the user might need to fax proof of identity documentation to Amazon in order to convince them of who they are.

Now as long as you have set up at least one additional admin-level account in IAM, you can still perform any task that an administrator might need to perform in your AWS environment. What you cannot do by default however is access the Billing & Cost Management section of the AWS console, which your root account can access by clicking the username towards the right side of the top menu bar. So in other words, it can be a big deal getting locked out from being able to log on with your root account when the MFA device assigned to this account fails. However, you can configure IAM user access to billing information so that specifically designated IAM users (like an alternate admin-level account) can access your billing info. This can be a helpful precaution in case the MFA device associated with your root account should fail, but if you do configure this functionality then you should also ensure that an IAM user to whom you grant this access also have an MFA device associated with their account for extra security.

To configure IAM user access to billing information, log on to AWS using your root account and open IAM, then click Account Settings and scroll down until you see the section titled IAM User Access To Billing Information:

Image
Figure 10: Step 1 of configuring IAM user access to billing information.

Click the Edit item at the top right in the above figure to display more information:

Image
Figure 11: Step 2 of configuring IAM user access to billing information.

Select the Activate IAM Access checkbox and click Update. You can then use IAM policies to assign the necessary permissions to the users to whom you want to allow access to your billing information. We’ll look at IAM policies in more detail in the next article of this series.

Of course, if all your MFA devices fail for both your root account and any IAM users you have allowed access to your billing info, then you’ve got a problem. If you want to avoid the hassle of having to deal with AWS customer support if such an incident should occur, then you might simply want to use a very long and complex passphrase as the password for your root account and not assign an MFA device to that account.

If you would like to read the other parts in this article series please go to:

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top