IAM MFA

Multi-Factor Authentication (MFA) is an additional layer of security for AWS Identity and Access Management(IAM) users. It requires users to provide two types of authentication before accessing AWS resources

  1. Something they know - Their AWS IAM Username and Password.

  2. Something they have - A one-time password (OTP) from a registered MFA device.

Why Enable MFA?

  • Enhances Security - Prevents unauthorized access, even if credentials are stolen.

  • Protects sensitive AWS resources - Reduces risk of account compromise.

  • Required for compliance - Helps meet security standards 

  • Supports AWS CLI and SDKs.

Types of MFA in AWS

AWS supports three types of MFA devices.

MFA Types

Description

Example Devices

Virtual MFA (TOPT)

Software-based MFA app generating OTP Codes

Google Authenticator, Authy, Microsoft Authenticator.

U2F security Key

Physical USB/NFC key for authentication

Yubikey, Titan Security Key

Hardware MFA Token

Physical device generating OTP codes

Gemalto, SurePassID


  • Virtual MFA is the Most common and free option.

  • Security keys offer the highest level of protection against phishing


How to Enable MFA for an IAM User


Method 1: Using AWS Management Console (GUI)


Steps to enable MFA for an IAM User:


  1. Sign in to the AWS IAM Console.

  2. Navigate to sers and select the IAM User.

  3. Click security credentials → scroll to Multi-Factor-Authentication (MFA)

  4. Click Assign MFA device → Choose Virtual MFA, Security Key, or Hardware MFA

  5. For Virtual MFA

    1. Open a TOPT Authentication app.

    2. Scan the QR Code shown on AWS.

    3. Enter two consecutive OTP codes from the app.

    4. Click Assign MFA.

  6. For Security Key:

    1. Insert to tap your FIDO2 security key when prompted.

  7. MFA is now enabled! The user must enter an OTP or use a security key when signing in.


Method 2: Using AWS CLI

Steps to Enable MFA using AWS CLI:


Step1: Create a Virtual MFA Device


Run the following command to list IAM Users:

$ aws iam list-users


Then, assign an MFA device:

$ aws iam create-virtual-mfa-device --virtual-mfa-device-name 'MyMFADevice'

This returns an ARN (E.g., arn:aws:iam::1234567890:mfa/MyMFADevice)



Step2: Enable MFA for a User


$ aws iam enable-mfa-device  \
 --user-name IAMUserName  \
 --serial-number 'arn:aws:iam::1234567890:mfa/MyMFADevice'  \
 --authentication-code-1 123456  \
 --authentication-code-2 789012


  • Replace IAMUsername and OPT's from your MFA Device.

How to Enforce MFA for AWS IAM Users

To force IAM users to use MFA, create an IAM policy that:

  • Denies all actions unless MFA is enabled.

  • Requires MFA authentication for high-security tasks.


Example IAM Policy to enforce MFA:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": "*",
      "Resource": "*",
      "Condition": {
        "BoolIfExists": {
          "aws:MultiFactorAuthPresent": false
        }
      }
    }
  ]
}


What this does:

  • Denies access unless the user has MFA enabled.

  • Applies to all AWS actions and resources

  • Users without MFA cannot perform any AWS actions.


How to Attach This Policy:


$ aws iam put-user-policy --user-name 'IAMUserName'  \
 --policy-name EnforceMFA  \
 --policy-document file://mfa-policy.json


  • Now the IAM user must use MFA to access AWS!

Best Practice for AWS IAM MFA


Require MFA for all IAM users – Protect AWS account from unauthorized access.

Use hardware or security keys for high-security accounts - Better protection than virtual MFA.

Enforce MFA via IAM Policies - Restrict access if MFA is not enabled.

Rotate MFA devices - ENsure backup devices in case of lost/stolen MFA tokens.

Enable MFA for root user - Critical for securing the AWS account owner. 
No comments:

IAM Password Policies

An IAM Password Policy in AWS defines the rules and requirements for how IAM users create and manage their passwords. It helps enforce strong security practices by requiring complexity, expiration, and rotation policies.

Why Use IAM Password Policies

  • Prevent weak passwords that are easy to guess.

  • Ensure compliance with security standards

  • Reduce the risk of brute force and credentials-stuffing attacks.

  • Enforce regular password updates and multi-factor authentication (MFA).

Key Features of IAM Password Policies

AWS IAM password policies let you:

  • Set minimum password length (at least 8 characters)

  • Require character complexity (uppercase, lowercase, numbers, symbols).

  • Enable password expiration (force password changes after a specific time).

  • Prevent Password reuse(restrict reusing old passwords).

  • Allow users to change their password(self-service).

  • Enforce multi-factor authentication (MFA) for better security.

Default AWS Password Policy

By default, AWS does not enforce a strict password policy.

  • This means that IAM users can create weak passwords unless and admin enforces stricter rules.

Configuring an IAM Password Policy

Method 1: Using AWS Management Console (GUI)

Steps to configure IAM Password Policy

  1. Sign in to AWS Management Console

  2. In the left Panel, Select Account settings.

  3. Scroll down to password policy and click edit.

  4. Set the password policy rules.

  5. Click save changes.


Method 2: Using AWS CLI

You can also set an IAM password policy using the AWS CLI.

Example,

$ aws iam update-account-password-policy  \
 --minimum-password-length '12'  \
 --require-uppercase-characters  \
 --require-lowercase-characters  \
 --require-numbers  \
 --require-numbers  \
 --requires-symbols  \
 --password-reuse-prevention '5'  \
 --max-password-age '90'  \
 --allow-users-to-change-password



Checking Current IAM Password Policy

To view the current password Policy, run

$ aws iam get-account-password-policy


Deleting an IAM Password Policy


If you need to remove the password policy:

$ aws iam delete-account-password-policy

No comments:

IAM Role

An IAM Role is an AWS Identity that has permissions to perform actions on AWS services but isn't associated with a specific user or group. Instead, IAM roles are assumed by AWS Services, IAM Users, or external identities to gain temporary access to AWS resources.


IAM Roles use temporary security credentials and are commonly used for:

  • Granting AWS Services access to other AWS resources.

  • Allowing users from other AWS Accounts or identity providers to access AWS.

  • Enabling applications and workloads running outside AWS to securely access AWS Services.

Key Features of IAM Roles

  • No long-term credentials:
    Uses temporary security tokens via AWS STS.

  • Can be assumed by entities:
    Users, applications, AWS Services, or external identities.

  • Fine-grained access control:
    Policies define what actions the role can perform.

  • Used in cross-account access:
    Allows sharing of resources between AWS Accounts.

  • Federated Access:
    Works with third-party identity providers 

How IAM Roles Work

  • A trusted entity such as user, services or application assumes the role.

  • AWS Security Service (STS) issues temporary security credentials.

  • The entity uses these credentials to access AWS Services.

  • Credentials expire after a short period, ensuring security.


Example Use Case: AN EC2 instance needs to read an S3 bucket. Instead of storing static credentials, an IAM role is assigned to the instance to grant necessary permissions.

Components of an IAM Role

Component

Description

Trust Policy

Defines who can assume the role.

Permissions Policy

Defines what actions/resources the role can access.

Session Duration

Temporary credentials expire after a specific time(Default 1 hour max 12 hours.)

Assume Role Action

AWS STS is used to assume the role and obtain credentials.



Example: Trust Policy for an IAM Role (EC2 Instance Access)


{
  "Version": "2012-10-17",
  "Statement": [
    {
    "Effect": "Allow"
    "Principal": {
       "Service": "ec2.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
]
}                                                                         


This allows EC2 Instance to assume the role.

Types of IAM Roles

AWS provides different types of IAM roles for different use cases:

  • Service Role (AWS Service Role)

  • Role for Cross-Account Access

  • Role for Identity Federation.

Service Role (AWS Service Role)

  • Used by AWS Services Such as EC2, Lambda, RDA to access other AWS resources.

  • Example: An EC2 instance role to access an S3 bucket.

  • Assigned directly to AWS Services via the AWS Console or CLI.

Example: EC2 Role to Read S3


{
  "Version": "2012-10-17",
  "Statement": [
  {
    "Effect": "Allow",
    "Action": [
      "s3:ListBucket",
      "s3:GetObject"
    ],
    "Resource": "arn:aws:s3::::my-bucket/*" 
    }
  ]
}                                                                        


Role for Cross-Account Access

  • Used to grant access between AWS Accounts.

  • Example: A role in Account A that users from Account B can Assume.

Example, Trust policy for cross-account access (Allows Account B to Assume Role.)


{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::ACCOUNT-B-ID:root"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Role for Identity Federation

  • Allows users from external identity to access AWS (e.g., SSO, Google, Active Directory).

  • Used for SSO (Single Sign-On) with services like google, okta, or Active Directory

Example, Role for Google Authentication

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "accounts.google.com"
      },
      "Action": "sts:AssumeRoleWithWebIdentity"
    }
  ]
}

How to Create an IAM Role

Method 1: Using AWS Management Console

  1. Go to IAM Console → Click Roles → Create Role.

  2. Select Trusted Entity (AWS Service, Another AWS Account, or Identity Provider)

  3. Attach Permissions (Select an existing policy or create a new one)

  4. Name the Role and add an optional description

  5. Create Role, The role is now ready to be assumed.

Method 2: Using AWS CLI

Step1: Create a Trust Policy JSON File. (trust-policy.json)


{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}


Step2: Create the IAM Role

Run the following AWS CLI Command:

$ aws iam create-role --role-name 'MyEC2Role' --assume-role-policy-document 'file://trust-policy.json'



Step3: Attach a Policy to the Role

Attach an S3 Read-Only Policy to the role:

$ aws iam attach-role-policy --role-name 'MyEC2Role' --policy-arn 'arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess'


Step4: Verify Role Creation

$ aws iam get-role --role-name 'MyEC2Role'


Assuming an IAM Role

Entities such as users, services, or applications assume a role to get temporary credentials.


AWS CLI Example: Assume a Role

$ aws sts assume-role --role-arn "arn:aws:iam::ACCOUNT-ID:role/MyRole" --role-session-name "Session1"


  • This returns temporary security credentials (AccessKey, SecretKey, SessionToken).


Best Practices for IAM Roles

  • Use IAM Role instead of IAM Users:
    Avoid long-term credentials.

  • Apply Least Privilege:
    Assign Only Necessary Permissions

  • Use Conditions:
    Restrict access by IP, MFA, or time-based conditions.

  • Monitor Role Activity:
    Use AWS CloudTrail for tracking role usage.

  • Rotate IAM Roles Regularly:
    Update role and policies periodically.
No comments:
Subscribe to: Posts (Atom)
  • What is Library
    A library is a collection of pre-compiled code (functions, routines, and subroutines) that programs can use to perform common tasks. Librari...
  • su v/s su - command
    The su and su - commands in Linux are both used to switch to another user, typically the root user, but they behave differently in terms o...
  • Message of the Day
    The message of the Day (MOTD) is a banner message displayed automatically to users when they log into a linux system via a terminal or SSH. ...
  • Network File System (NFS)
    Network File System (NFS) is a protocol that allows users to access and share files over a network as if they were on a local file system. I...
  • What is Linux?
      Linux is a popular operating system that powers many devices, from smartphones and laptops to servers and supercomputers. But what exactly...
  • Swap Space in Linux
    SWAP Space in Linux is a dedicated area on a storage device (disk or SSD) used as a backup for system memory (RAM). It serves as an overflow...
  • Linux File Hierarchy System
    One of the most important aspects of any operating system is how it organizes and manages the files and directories on the disk. Linux, bein...
  • What is Linux Kernel?
    If you are a computer user, you might have heard of the term "kernel" before. But what exactly is a kernel and what does it do? In...