GoCloud

Multi-Factor Authentication (MFA) is an additional layer of security for AWS Identity and Access Management(IAM) users. It requires users to provide two types of authentication before accessing AWS resources

Something they know - Their AWS IAM Username and Password.
Something they have - A one-time password (OTP) from a registered MFA device.

Why Enable MFA?

Enhances Security - Prevents unauthorized access, even if credentials are stolen.
Protects sensitive AWS resources - Reduces risk of account compromise.
Required for compliance - Helps meet security standards
Supports AWS CLI and SDKs.

Types of MFA in AWS

AWS supports three types of MFA devices.

MFA Types	Description	Example Devices
Virtual MFA (TOPT)	Software-based MFA app generating OTP Codes	Google Authenticator, Authy, Microsoft Authenticator.
U2F security Key	Physical USB/NFC key for authentication	Yubikey, Titan Security Key
Hardware MFA Token	Physical device generating OTP codes	Gemalto, SurePassID

Virtual MFA is the Most common and free option.
Security keys offer the highest level of protection against phishing

How to Enable MFA for an IAM User

Method 1: Using AWS Management Console (GUI)

Steps to enable MFA for an IAM User:

Sign in to the AWS IAM Console.
Navigate to sers and select the IAM User.
Click security credentials → scroll to Multi-Factor-Authentication (MFA)
Click Assign MFA device → Choose Virtual MFA, Security Key, or Hardware MFA
For Virtual MFA

Open a TOPT Authentication app.
Scan the QR Code shown on AWS.
Enter two consecutive OTP codes from the app.
Click Assign MFA.

For Security Key:

Insert to tap your FIDO2 security key when prompted.

MFA is now enabled! The user must enter an OTP or use a security key when signing in.

Method 2: Using AWS CLI

Steps to Enable MFA using AWS CLI:

Step1: Create a Virtual MFA Device

Run the following command to list IAM Users:

$ aws iam list-users

Then, assign an MFA device:

$ aws iam create-virtual-mfa-device --virtual-mfa-device-name 'MyMFADevice'

This returns an ARN (E.g., arn:aws:iam::1234567890:mfa/MyMFADevice)

Step2: Enable MFA for a User

$ aws iam enable-mfa-device \
--user-name IAMUserName \
--serial-number 'arn:aws:iam::1234567890:mfa/MyMFADevice' \
--authentication-code-1 123456 \
--authentication-code-2 789012

Replace IAMUsername and OPT's from your MFA Device.

How to Enforce MFA for AWS IAM Users

To force IAM users to use MFA, create an IAM policy that:

Denies all actions unless MFA is enabled.
Requires MFA authentication for high-security tasks.

Example IAM Policy to enforce MFA:

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": false
}
}
}
]
}

What this does:

Denies access unless the user has MFA enabled.
Applies to all AWS actions and resources
Users without MFA cannot perform any AWS actions.

How to Attach This Policy:

$ aws iam put-user-policy --user-name 'IAMUserName' \
--policy-name EnforceMFA \
--policy-document file://mfa-policy.json

Now the IAM user must use MFA to access AWS!

Best Practice for AWS IAM MFA

Require MFA for all IAM users – Protect AWS account from unauthorized access.

Use hardware or security keys for high-security accounts - Better protection than virtual MFA.

Enforce MFA via IAM Policies - Restrict access if MFA is not enabled.

Rotate MFA devices - ENsure backup devices in case of lost/stolen MFA tokens.

Enable MFA for root user - Critical for securing the AWS account owner.