Multi-Factor Authentication (MFA) on AWS

Image for post
Image for post


I will be posting a series of some cool articles related to AWS security, some are required to use Multi-Factor Authentication (MFA) so here is a basic one how to enable MFA on AWS.

Probably many of you already familiar with using MFA login in a web browser, In this post, I will also share how to use MFA login on AWS CLI.

Create IAM User

The first step is to create an IAM user if you don’t have one using the AWS Console. Make sure you allow console access or programmatic access (if required)

In this example, I am creating a user called mfatest

Enable MFA

To enable MFA on IAM User, open AWS Console > IAM > Users > select the user you want to enable MFA. In my example, it is user mfatest.

Click on the Manage under Assign MFA device section

Select the MFA device you want to use, the most common these days in Virtual MFA device, you can use Google Authenticator app on your mobile device to use Virtual MFA.

Note: Just in case you are not familiar with the Physical MFA devices, they look like the following ;-)

Scan the barcode with the Google authenticator app

On Google Authenticator app click the + sign and choose Scan barcode

The App will automatically detect the settings and displays the 6 digit number which expires every 30 seconds or so.

Go back to AWS Console and enter the next 2 sequences of the Token from Google Authenticator app and click OK

Once the sequence matches the MFA would be enabled for the IAM user

Using MFA on Web Browser

Copy the URL sown under Summary as Console sign-in

Enter User ID and Password

Enter MFA code from Google Authenticator app or other MFA devices on Submit you should see the AWS console.

Using MFA on AWS CLI

Setting MFA on CLI is a bit tricky.

First, make sure you have Enabled the programmatic access of the IAM user (see the create user slide earlier)

I have also attached the custom policy on IAM User to Force MFA when using AWS services, check this AWS documentation link for more info

I have added a new profile of mfatest user to use with AWS CLI

Copy the MFA device URL from AWS console as shown with the Assign MFA Device (we need this in the following commands)

Execute the following command to get temporary access and secret keys from AWS, you need to pass the token from MFA device

Note: make sure pass MFA Device URL to serial-number and pass MFA device token to token-code

The response would contain the temporary Access Key, Secret Key and Session Token which is valid till the expiration time

You can add these credentials to your AWS CLI config or use environment variables to set up, see this post for more info

In my example, I set in AWS CLI configuration as a new profile called mymfa

Now try to access AWS using CLI as following, in my example I am getting an exception if I don’t pass the MFA token

After getting temporary credentials from AWS using MFA token, I can list S3 buckets in my account when using another profile called mymfa


In this post, we have covered how to setup Multi-factor authentication in AWS. I will be posting some advance security topics in coming weeks which would need MFA setup so this post would work as a reference.

Hope you like this post.


About DataNext

DataNext Solutions is a US based system integrator, specialized in Cloud, Big Data, DevOps technologies. As a registered AWS partner, our services comprise of any Cloud Migration, Cost optimization, Integration, Security and Managed Services. Click here and Book Free assessment call with our experts today or visit our website for more info.

Written by

Cloud Security Expert & CEO of DataNext Solutions, helping people every day with the latest tech. Connect @LinkedIn

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store