In the event of a password theft or credential leakage, an attacker would be able to login into the AWS account of a user with only the password and gain access to the AWS account and services accessible to the user if MFA (multi-factor authentication) is disabled. The attacker could also run additional services or disrupt running operations based on their privileges.
AWS IAM provides MFA capabilities to its users. MFA provides an additional layer of security and must be enabled wherever possible. An attacker would not be able to login to an account, even if they had the password, as the account would require a multi factor authentication token to complete the login process.
In this article we will see how to enable MFA for an AWS IAM user using the AWS CLI.
To enable MFA for a user in AWS IAM, make sure you have the permissions to do so. If not, contact the authorized team member who will enable and set up MFA for the given user.
Following are the steps to enable MFA for an AWS user using AWS CLI:
Run the following command to create a virtual MFA device for the user. In this article we will generate a QR code that will be scanned to set up the MFA device. Save the Serial Number that this command generates
aws iam create-virtual-mfa-device --virtual-mfa-device-name <MFA_device_name> --outfile <QRCode_PNG_location_to_write> --bootstrap-method QRCodePNG
Use an app like Google Authenticator to scan the QR code that was saved from the previous command and obtain two consecutive passcodes generated by the MFA virtual device
Run the following command to assign the virtual MFA device to a user
aws iam enable-mfa-device --user-name <IAM_username> --serial-number <MFA_ARN> --authentication-code1 <auth_passcode_string_1> --authentication-code2 <auth_passcode_string_2>