IAM Multi Factor Authentication

First, Open AWS Console. You need to login and then you’ll see something like this.

Hover on Services to see the list of services provided by AWS.

Yep, there are way too many of them. But the good thing is, you’ll most likely never deal with most of them. Here you’ll see IAM under Security, Identity and Compliance. Click on it.

You can customize your login URL here if you like.

I updated it to make it easy to remember.

So now there are a few things mentioned in here:

1. MFA (Multi Factor Authentication hasn’t been done)
2. No IAM users are created
3. No groups are created or used
4. There is no password policy used

So let’s tackle these one-by-one!

Click on Activate MFA on you root Account and then click on Manage MFA. You’ll then see the following screen. Click on Multi Factor Authentication (MFA) and then Activate MFA.

There are 3 options. 

1. Virtual MFA device
2. U2F security key
3. Other Hardware MFA device

Now, my guess is you don’t have any of them. But don’t worry, the Virtual MFA Device is simply an app, that generates MFA Tokens and is available on the Play Store and App Store for free!

In fact, there are a few options available, which you can see by clicking See a list of compatible applications

We are going to use Google Authenticator. Go ahead and download it from the Play Store / App Store. You can then scan the barcode from the above screen to view an MFA code. This MFA code expires in about a minute and a new one is generated automatically. Enter the latest two codes you see on the phone and press Assign MFA.

The new device code should now appear in your console as shown below.

Now everytime you try to login to the AWS Console, you’ll need to enter one OTP from the app.