Enabling Multi-Factor Authentication (MFA) for IAM users - AWS GovCloud (US)

Enabling Multi-Factor Authentication (MFA) for IAM users

For increased security, we recommend that you configure multi-factor authentication (MFA) to help protect your AWS GovCloud (US) resources. MFA adds extra security because it requires IAM users to enter a unique authentication code from an approved authentication device when they access AWS websites or services.

AWS GovCloud (US) offers security token-based MFA. You can assign a virtual or hardware MFA device to an IAM user or to your GovCloud administrator IAM user. The device generates a six-digit numeric code based on a time-synchronized, one-time password algorithm. The user must enter a valid code from the device on a second web page during sign-in. Each MFA device assigned to a user must be unique. A user cannot authenticate by entering a code from another user's device.

The following high-level procedure describes how to set up and use MFA in AWS GovCloud (US) and provides links to related information.

  1. MFA devices are only supported for IAM users and not the root account. For more information, see AWS Management Console documentation.

  2. Get an MFA token device. You can enable only one MFA device per user. The device can be used by the specified user only.

    • A hardware-based token device, such as one of the AWS-supported hardware token devices listed in the “Hardware Key Fob MFA Device for AWS GovCloud (US)” column of the MFA Form Factors table on the Multi-Factor Authentication page.

    • A virtual token device, which is a software application that is compliant with RFC 6238, a standards-based, time-based one-time password (TOTP) algorithm. You can install the application on a mobile device, such as a tablet or smartphone. For a list of apps you can use as virtual MFA devices, see the "Virtual MFA Applications" section of the Multi-Factor Authentication page.

  3. Enable the MFA device. There are two steps to enabling a device. First, you create an MFA device entity in IAM. Second, you associate the MFA device entity with the IAM user. You can perform these tasks in the AWS Management Console, AWS CLI, AWS Tools for Windows PowerShell, or the IAM API.

    For information about enabling MFA devices, see the following topics:

  4. Use the MFA device when you sign in to or access AWS resources.

For more information, see Using MFA Devices with Your IAM Sign-in Page and Enabling a Virtual Multi-Factor Authentication (MFA) Device.