This whitepaper is for historical reference only. Some content might be outdated and some links might not be available.
Multi-Factor-Authentication
For extra security, you can add two-factor
authentication to your AWS account and to IAM users. With multi-factor authentication (MFA)
enabled, when you sign into the AWS
Management Console
For example, you can define a policy that allows full access to
all AWS API operations in Amazon EC2, but explicitly denies access
to specific API operations—such as
StopInstances
and
TerminateInstances
—if the user is not
authenticated with MFA.
{ “Version”: “2012-10-17”, “Statement”: [ { “Sid”: “AllowAllActionsForEC2”, “Effect”: “Allow”, “Action”: “ec2:*”, “Resource”: “*” }, { “Sid”: “DenyStopAndTerminateWhenMFAIsNotPResent”, “Effect”: “Deny”, “Action”: [ “ec2:StopInstances”, “ec2:TerminateInstances” ], “Resource”: “*”, “Conditions”: { “BoolIfExists”: {“aws:MultiFactorAuthPresent”:false} } } } }
To add an extra layer of security to your Amazon S3 buckets, you can configure MFA Delete, which requires additional authentication to change the versioning state of a bucket and permanently delete an object version. MFA Delete provides added security in the event that your security credentials are compromised.
To use MFA Delete, you can use either a hardware or virtual MFA device to generate an
authentication code. See the Multi-factor Authentication page