Multi-Factor-Authentication

For extra security, you can add two-factor authentication to your AWS account and to IAM users. With multi-factor authentication (MFA) enabled, when you sign into the AWS Management Console, you are prompted for your credentials (the first factor), as well as an authentication response from your AWS MFA device (the second factor). You can enable MFA for your AWS account and for individual IAM users you have created in your account. You can also use MFA to control access to AWS service APIs.

For example, you can define a policy that allows full access to all AWS API operations in Amazon EC2, but explicitly denies access to specific API operations—such as StopInstances and TerminateInstances—if the user is not authenticated with MFA.

        {
         “Version”: “2012-10-17”,
         “Statement”: [
             {
                “Sid”: “AllowAllActionsForEC2”,
                “Effect”: “Allow”,
                “Action”: “ec2:*”,
                “Resource”: “*”
             },
            {
                “Sid”: “DenyStopAndTerminateWhenMFAIsNotPResent”,
                “Effect”: “Deny”,
                “Action”: [
                    “ec2:StopInstances”,
                    “ec2:TerminateInstances”
               ],
               “Resource”: “*”,
               “Conditions”: {
                   “BoolIfExists”: {“aws:MultiFactorAuthPresent”:false}
                }
            }
       }
}
    

To add an extra layer of security to your Amazon S3 buckets, you can configure MFA Delete, which requires additional authentication to change the versioning state of a bucket and permanently delete an object version. MFA Delete provides added security in the event that your security credentials are compromised.

To use MFA Delete, you can use either a hardware or virtual MFA device to generate an authentication code. See the Multi-factor Authentication page for a list of supported hardware or virtual MFA devices.