ACCT.05 – Require multi-factor authentication (MFA) to log in - AWS Prescriptive Guidance

ACCT.05 – Require multi-factor authentication (MFA) to log in

With MFA, users have a device that generates a response to an authentication challenge. Each user's credentials and device-generated response are required to complete the sign-in process. As a security best practice, enable MFA for AWS account access, especially for long-term credentials such as the account root user and IAM users.

To set up MFA for the root user
  1. Sign in to the AWS Management Console at https://console.aws.amazon.com/.

  2. On the right side of the navigation bar, choose your account name, and then choose My Security Credentials.

  3. If necessary, choose Continue to Security Credentials.

  4. Expand the Multi-Factor Authentication (MFA) section.

  5. Choose Activate MFA.

  6. Follow the wizard instructions to configure your MFA devices accordingly. For more information, see Enabling MFA devices for users in AWS (IAM documentation).

To set up MFA in IAM Identity Center
To set up MFA for your own IAM user
  1. Using your sign-in credentials, sign in to the IAM console at https://console.aws.amazon.com/iam.

  2. In the navigation bar on the upper right, choose your user name, and then choose My Security Credentials.

  3. On the AWS IAM credentials tab, in the Multi-factor authentication section, choose Manage MFA device.

To set up MFA for other IAM users
  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam.

  2. In the navigation pane, choose Users.

  3. Choose the name of the user for whom you want to enable MFA, and then choose the Security credentials tab.

  4. Next to Assigned MFA device, choose Manage.

  5. Follow the wizard instructions to configure your MFA devices accordingly. For more information, see Enabling MFA devices for users in AWS (IAM documentation).