In this part of IAM series, I will explain how to create sign-in credentials and configuring Multi-Factor Authentication. If we want our IAM users connect AWS services via console , we have to assign a password to them. And also by configuring MFA, we can add an extra security layer. MFA can also be used for controlling access to AWS API’s.
Let’s start with sign-in credentials.
When we click “Manage_Password” , we can assign an auto-generated or custom password to our user.
I will use a auto-generated password. I can copy my password or download the credentials.
If I open “https://1305xxxxxxxx.signin.aws.amazon.com/console” url, I will be able to access console with my IAM users. If you want to login as root account again, you can click “Sign-in using root account credentials” link.
Now I will login with my “User_admin” user and I can access the console with the permissions granted (In previous posts, we had denied the “start_instances” action to User_admin).
As expected, user couldn’t start the instance. If you want to use IAM and with the console access, it is better to provide a user friendly url. Again in dashboard screen by clicking “Create account alias”, we can create a user friendly url. I used “wekanban” as my account alias.
As you know it is a security practice to rotate your passwords. You can keep, change (auto-generated or custom) or remove the password of an IAM user.
So it is time to configuring MFA. We can configure MFA with a virtual or a hardware device. AWS provides different devices as here in this link . I will use Google authenticator in my example.
I open the Google authenticator on my device and select “scan barcode”.
I scan the QR code and the device generates the authentication codes for me
Again I open my https://wekanban.signin.aws.amazon.com/console url. I check the “I have an MFA Token” checkbox and use my virtual hardware generated code.
I can successfully logged in the AWS console. Remember that, if you try to login without MFA code , you can not login and console warns you as “Your authentication information was incorrect.
Please try again”.
In the next posts, I will explain Roles, Identity Providers and Password Policy.
If you have any question or comment please feel free to write and don’t forget to share please.