0
0
AwsHow-ToBeginner · 4 min read

How to Enable MFA in AWS: Step-by-Step Guide

To enable MFA in AWS, sign in to the AWS Management Console, go to IAM > Users, select your user, then choose Security credentials and click Manage MFA device. Follow the prompts to activate a virtual or hardware MFA device for added security.
📐

Syntax

Enabling MFA in AWS involves these main steps:

  • Sign in: Access the AWS Management Console with your user credentials.
  • Navigate to IAM: Go to the Identity and Access Management (IAM) service.
  • Select User: Choose the user account you want to secure.
  • Manage MFA Device: Under Security credentials, select to add an MFA device.
  • Activate MFA: Follow instructions to link a virtual or hardware MFA device.

This process adds a second step to your login, requiring a code from your MFA device.

bash
aws iam enable-mfa-device --user-name <UserName> --serial-number <MFADeviceSerialNumber> --authentication-code1 <Code1> --authentication-code2 <Code2>
💻

Example

This example shows how to enable a virtual MFA device for a user named alice using the AWS CLI. You first create the virtual MFA device, then activate it with two consecutive MFA codes from your authenticator app.

bash
aws iam create-virtual-mfa-device --virtual-mfa-device-name alice-mfa --outfile /tmp/alice-mfa-qr.png

# Scan the QR code with your authenticator app, then run:
aws iam enable-mfa-device --user-name alice --serial-number arn:aws:iam::123456789012:mfa/alice-mfa --authentication-code1 123456 --authentication-code2 789012
Output
Virtual MFA device created and enabled for user alice.
⚠️

Common Pitfalls

  • Wrong MFA codes: You must enter two consecutive codes from your MFA device during activation; entering incorrect codes will fail.
  • Device not synced: If your authenticator app time is off, codes may not work; ensure your device clock is accurate.
  • Missing permissions: Your IAM user must have permission to manage MFA devices; otherwise, you cannot enable MFA.
  • Using root account: Enabling MFA on the root account is done separately in the AWS account settings, not IAM users.
bash
aws iam enable-mfa-device --user-name alice --serial-number arn:aws:iam::123456789012:mfa/alice-mfa --authentication-code1 111111 --authentication-code2 222222
# This will fail if codes are incorrect or out of sync.
Output
An error occurred (InvalidAuthenticationCode) when calling the EnableMFADevice operation: The authentication code is invalid.
📊

Quick Reference

Here is a quick checklist to enable MFA in AWS:

  • Sign in to AWS Console
  • Open IAM service
  • Select the user
  • Go to Security credentials tab
  • Click Manage MFA device
  • Choose Virtual or Hardware MFA device
  • Scan QR code or enter serial number
  • Enter two consecutive MFA codes
  • Confirm and save

Key Takeaways

Enable MFA in AWS IAM to add a second layer of login security.
Use the AWS Console or CLI to activate a virtual or hardware MFA device.
Enter two consecutive MFA codes correctly to complete activation.
Ensure your device time is accurate to avoid code errors.
MFA on the root account is managed separately from IAM users.

Related by keyword

How to Enable AWS CloudTrail: Step-by-Step GuideSecurityHow to Configure AWS CLI: Step-by-Step GuideGetting StartedHow to Create AWS Account: Step-by-Step GuideGetting StartedHow to Install AWS CLI: Step-by-Step GuideGetting StartedHow to Configure Auto Scaling in AWS: Step-by-Step GuideEC2

Up next

AWS Shared Responsibility Model: What It Is and How It WorksWhat is AWS Used For: Key Uses and ExamplesALB vs NLB vs CLB: Key Differences and When to Use EachEBS vs Instance Store in AWS: Key Differences and Usage Guide

More in IAM

How to Attach a Policy to an AWS Role: Simple StepsHow to Attach a Policy to a User in AWS IAMHow to Create Custom IAM Policy in AWS: Simple GuideHow to Create IAM Group in AWS: Step-by-Step Guide