Bobcares

Enforce MFA AWS Console | How To?

by | Sep 21, 2022

Let’s see how we can enforce MFA to the AWS console with this article. At Bobcares, with our AWS Support Services, we can handle your AWS issues.

How to enforce MFA to AWS console?

Securing AWS accounts is one of the most essential security considerations for organizations that use AWS. Managing an account with few users may be a difficult task. However, as the number of users grow over time, the management becomes simple. Enabling Multi-Factor Authentication on AWS account users is one of the most frequent security enhancements.

enforce mfa aws console

In this article, we will provide the steps to enforce Multi-Factor Authentication to the AWS console.

Enforcing MFA to AWS console: A step by step process

The basic process involves creating the required policy, creating a test user, and verifying the setup.

1. Creating Policy

Firstly, create the following policy in the Policies section of the IAM service. The policy described below allows a user to only execute particular actions connected to their account, such as changing their password or configuring an MFA device. Furthermore, if the user sign in without an MFA device, the policy prevents them from performing any other actions. This policy allows any user to connect for the first time and configure their own MFA device.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowViewAccountInfo",
            "Effect": "Allow",
            "Action": [
                "iam:GetAccountPasswordPolicy",
                "iam:GetAccountSummary",       
                "iam:ListVirtualMFADevices"
            ],
            "Resource": "*"
        },       
        {
            "Sid": "AllowManageOwnPasswords",
            "Effect": "Allow",
            "Action": [
                "iam:ChangePassword",
                "iam:GetUser"
            ],
            "Resource": "arn:aws:iam::*:user/${aws:username}"
        },
        {
            "Sid": "AllowManageOwnAccessKeys",
            "Effect": "Allow",
            "Action": [
                "iam:CreateAccessKey",
                "iam:DeleteAccessKey",
                "iam:ListAccessKeys",
                "iam:UpdateAccessKey"
            ],
            "Resource": "arn:aws:iam::*:user/${aws:username}"
        },
        {
            "Sid": "AllowManageOwnSigningCertificates",
            "Effect": "Allow",
            "Action": [
                "iam:DeleteSigningCertificate",
                "iam:ListSigningCertificates",
                "iam:UpdateSigningCertificate",
                "iam:UploadSigningCertificate"
            ],
            "Resource": "arn:aws:iam::*:user/${aws:username}"
        },
        {
            "Sid": "AllowManageOwnSSHPublicKeys",
            "Effect": "Allow",
            "Action": [
                "iam:DeleteSSHPublicKey",
                "iam:GetSSHPublicKey",
                "iam:ListSSHPublicKeys",
                "iam:UpdateSSHPublicKey",
                "iam:UploadSSHPublicKey"
            ],
            "Resource": "arn:aws:iam::*:user/${aws:username}"
        },
        {
            "Sid": "AllowManageOwnGitCredentials",
            "Effect": "Allow",
            "Action": [
                "iam:CreateServiceSpecificCredential",
                "iam:DeleteServiceSpecificCredential",
                "iam:ListServiceSpecificCredentials",
                "iam:ResetServiceSpecificCredential",
                "iam:UpdateServiceSpecificCredential"
            ],
            "Resource": "arn:aws:iam::*:user/${aws:username}"
        },
        {
            "Sid": "AllowManageOwnVirtualMFADevice",
            "Effect": "Allow",
            "Action": [
                "iam:CreateVirtualMFADevice",
                "iam:DeleteVirtualMFADevice"
            ],
            "Resource": "arn:aws:iam::*:mfa/${aws:username}"
        },
        {
            "Sid": "AllowManageOwnUserMFA",
            "Effect": "Allow",
            "Action": [
                "iam:DeactivateMFADevice",
                "iam:EnableMFADevice",
                "iam:ListMFADevices",
                "iam:ResyncMFADevice"
            ],
            "Resource": "arn:aws:iam::*:user/${aws:username}"
        },
        {
            "Sid": "DenyAllExceptListedIfNoMFA",
            "Effect": "Deny",
            "NotAction": [
                "iam:CreateVirtualMFADevice",
                "iam:EnableMFADevice",
                "iam:GetUser",
                "iam:ListMFADevices",
                "iam:ListVirtualMFADevices",
                "iam:ResyncMFADevice",
                "sts:GetSessionToken",
                "iam:ChangePassword",
                "iam:GetUser"
            ],
            "Resource": "*",
            "Condition": {
                "BoolIfExists": {
                    "aws:MultiFactorAuthPresent": "false"
                }
            }
        }
    ]
}

Give the policy a name and complete its development.

2. Creating A Test User

Go to the IAM service’s Users area and create a new user using the following options:

  • Name: testuser
  • AWS Credential Type: AWS Management Console autogenerated password that needs be modified on first logging in.
  • Navigate to “Attach existing policies directly” under the permissions section, search for the name of the previously established policy, and add it to the user.
  • Also, include the AmazonEC2FullAccess policy, which grants the user complete access to the EC2 service.
  • Keep the remaining choices at their defaults and proceed to create the user.
  • Now a password is generated. The password is necessary to login new user to the console.
3. Verifying The Setup

We can run the following steps in order to verify the setup.

  • Firstly, log in to the AWS management console as the newly created testuser.
  • Now go to the EC2 instances console. We will see a message prompt, “You are not authorized to perform this operation.” We cannot manage EC2 resources before signing in using MFA even though we have full access to the EC2 service.
  • Now to set up the MFA, go to the dashboard of the IAM section. Permission error alerts will appear on the dashboard.
  • Then select Add MFA >> Assign MFA Device >> Virtual MFA device.
  • Download an MFA app for user’s phone (Google, Microsoft, etc.) and finish the setup on AWS by scanning the QR code and then copying two consecutive MFA codes.
  • Once it finishes, we see the below message.
    You have successfully assigned virtual MFA
    This virtual MFA will be required during sign-in.
  • Now sign out. Then sign in again with the code from the authentication device.
  • Return to the EC2 instances dashboard after signing in. The error message is now replaced by the list of EC2 instances present.

[Need assistance with a different issue? We’re available 24/7.]

Conclusion

Security is one of the important considerations while using AWS services. In this article, we provides the steps from our Tech team to enforce the Multi-Factor Authentication (MFS) on to the AWS console.

PREVENT YOUR SERVER FROM CRASHING!

Never again lose customers to poor server speed! Let us help you.

Our server experts will monitor & maintain your server 24/7 so that it remains lightning fast and secure.

GET STARTED

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

Never again lose customers to poor
server speed! Let us help you.