I will be posting a series of some cool articles related to AWS security, some are required to use Multi-Factor Authentication (MFA) so here is a basic one how to enable MFA on AWS.
Probably many of you already familiar with using MFA login in a web browser, In this post, I will also share how to use MFA login on AWS CLI.
Create IAM User
The first step is to create an IAM user if you don’t have one using the AWS Console. Make sure you allow console access or programmatic access (if required)
In this example, I am creating a user called mfatest
To enable MFA on IAM User, open AWS Console > IAM > Users > select the user you want to enable MFA. In my example, it is user mfatest.
Click on the Manage under Assign MFA device section
Select the MFA device you want to use, the most common these days in Virtual MFA device, you can use Google Authenticator app on your mobile device to use Virtual MFA.
Note: Just in case you are not familiar with the Physical MFA devices, they look like the following ;-)
Scan the barcode with the Google authenticator app
On Google Authenticator app click the + sign and choose Scan barcode
The App will automatically detect the settings and displays the 6 digit number which expires every 30 seconds or so.
Go back to AWS Console and enter the next 2 sequences of the Token from Google Authenticator app and click OK
Once the sequence matches the MFA would be enabled for the IAM user
Using MFA on Web Browser
Copy the URL sown under Summary as Console sign-in
Enter User ID and Password
Enter MFA code from Google Authenticator app or other MFA devices on Submit you should see the AWS console.
Using MFA on AWS CLI
Setting MFA on CLI is a bit tricky.
First, make sure you have Enabled the programmatic access of the IAM user (see the create user slide earlier)
I have also attached the custom policy on IAM User to Force MFA when using AWS services, check this AWS documentation link for more info
I have added a new profile of mfatest user to use with AWS CLI
$ vi ~/.aws/credentials[mfatest]
Copy the MFA device URL from AWS console as shown with the Assign MFA Device (we need this in the following commands)
Execute the following command to get temporary access and secret keys from AWS, you need to pass the token from MFA device
Note: make sure pass MFA Device URL to serial-number and pass MFA device token to token-code
$ aws sts get-session-token — serial-number arn:aws:iam::0080000000:mfa/mfatest — profile mfatest — token-code 757641
The response would contain the temporary Access Key, Secret Key and Session Token which is valid till the expiration time
You can add these credentials to your AWS CLI config or use environment variables to set up, see this post for more info
In my example, I set in AWS CLI configuration as a new profile called mymfa
$ vi ~/.aws/credentials[mfatest]
output = json
region = us-east-1
aws_access_key_id = ASIA3YQR7W7AQZZBK56A
aws_secret_access_key = U5jeemYSdCDULxPya3dtFwgeXvbM/jPq/CJDkPKx
aws_session_token = FQoGZXIvYXdzEPf//////////wEaDDrEdJtDMLVJuXciEiKwAXtzQ+gG2KsVzSjS8uLmkvTGzdMOrIdNW7VvelmSRMH0SXvzJ1NsOigia/7bZlBXKcQekmwuEWrKuKMtv+3HYVGHC6kH7ZT8CyvL79KT3X9R3KlAUdqCQ0H4Bv6HrJqgC+KUoiBnE4/xBG8lR45jZ45n6Ds7YsLvthhTWg1SBddBC+uMLSRNoBjj/O/MMSXTieGUmsL0INA2mu0YktRq6TOouYKHFHrm6GZNk2i9cq18KJq9legF
Now try to access AWS using CLI as following, in my example I am getting an exception if I don’t pass the MFA token
$ aws s3 ls — profile mfatestAn error occurred (AccessDenied) when calling the ListBuckets operation: Access Denied
After getting temporary credentials from AWS using MFA token, I can list S3 buckets in my account when using another profile called mymfa
In this post, we have covered how to setup Multi-factor authentication in AWS. I will be posting some advance security topics in coming weeks which would need MFA setup so this post would work as a reference.
Hope you like this post.
DataNext Solutions is a US based system integrator, specialized in Cloud, Big Data, DevOps technologies. As a registered AWS partner, our services comprise of any Cloud Migration, Cost optimization, Integration, Security and Managed Services. Click here and Book Free assessment call with our experts today or visit our website www.datanextsolutions.com for more info.