0
0
AWScloud~5 mins

Multi-factor authentication setup in AWS - Commands & Configuration

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Introduction
Multi-factor authentication (MFA) adds an extra step to logging in by requiring a second form of verification. This helps protect your AWS account from unauthorized access even if your password is stolen.
When you want to secure your AWS root account with an extra layer of protection.
When you want to require MFA for IAM users to access sensitive AWS resources.
When you want to enforce MFA for AWS CLI or SDK access to prevent misuse.
When you want to comply with security policies that require MFA for cloud accounts.
When you want to reduce the risk of account compromise from phishing or password leaks.
Commands
This command creates a virtual MFA device for your AWS account and saves a QR code image. You scan this QR code with an authenticator app like Google Authenticator.
Terminal
aws iam create-virtual-mfa-device --virtual-mfa-device-name my-mfa-device --outfile my-mfa-device-qr.png --bootstrap-method QRCodePNG
Expected OutputExpected
{"VirtualMFADevice":{"SerialNumber":"arn:aws:iam::123456789012:mfa/my-mfa-device","Base32StringSeed":"BASE32SEEDVALUE","QRCodePNG":"BASE64ENCODEDPNGDATA"}}
--virtual-mfa-device-name - Sets the name of the MFA device.
--outfile - Saves the QR code image to a file.
--bootstrap-method - Specifies the format of the QR code output.
This command activates the MFA device for the IAM user by providing two consecutive codes from the authenticator app.
Terminal
aws iam enable-mfa-device --user-name my-user --serial-number arn:aws:iam::123456789012:mfa/my-mfa-device --authentication-code1 123456 --authentication-code2 789012
Expected OutputExpected
No output (command runs silently)
--user-name - Specifies the IAM user to enable MFA for.
--serial-number - Identifies the MFA device ARN.
--authentication-code1 - First MFA code from the app.
--authentication-code2 - Second MFA code from the app.
This command lists all MFA devices assigned to the IAM user to verify the setup.
Terminal
aws iam list-mfa-devices --user-name my-user
Expected OutputExpected
MFADevices: - SerialNumber: arn:aws:iam::123456789012:mfa/my-mfa-device UserName: my-user
--user-name - Specifies the IAM user to list MFA devices for.
Key Concept

If you remember nothing else from this pattern, remember: MFA requires setting up a device and activating it with two consecutive codes to add strong protection to your AWS account.

Common Mistakes
Using only one authentication code when enabling the MFA device.
AWS requires two consecutive codes to verify the device is synced correctly.
Provide two consecutive MFA codes from the authenticator app when running the enable-mfa-device command.
Not scanning the QR code with an authenticator app before enabling the device.
Without scanning, you cannot generate the required authentication codes.
Scan the QR code image file with an authenticator app before running the enable command.
Trying to enable MFA for the root user using IAM commands.
Root user MFA setup is done via the AWS Management Console, not CLI IAM commands.
Use the AWS Console to enable MFA on the root account.
Summary
Create a virtual MFA device and save its QR code image.
Scan the QR code with an authenticator app and enable the MFA device with two codes.
Verify the MFA device is assigned to the IAM user.