How To Activate Multi Factor Authentication (MFA) On Your AWS Root User Account Using The Google Authenticator App.

Using multi factor authentication on the root user account of your Amazon AWS account helps to add an extra layer of security because on top of typing in a correct password for the root account it makes it mandatory for a root user to type in a password / passcode from a third party app or device. AWS has support for most authenticator apps, USB MFA flash drives, hardware MFA devices and even text message based MFA. The choice of which MFA method to use depends on what works best for you. This tutorial provides a guide on how to activate MFA on your AWS root user account using the google authenticator app. You will also learn how to disable MFA if you wish to stop using it.

Requirements.

In order to complete this tutorial successfully the following items are required. Please ensure to have these items available before taking implimentation action on this tutorial:
1) Authorised access to a root user account on Amazon AWS 
2) An android or apple smart phone or tablet
3) The google authenticator app for android / iOS
4) Authorised access to the AWS IAM MANAGEMENT CONSOLE

Overview

1) Go to the Amazon web console, login with your root user account credentials and open the IAM MANAGEMENT CONSOLE
2) Go to the google play store or android app store and download an authenticator app such as Google Authenticator
3) Scan the QR code displayed on the SET UP VIRTUAL MAF dialogue box, type is two consecutive MFA codes and click on ASSIGN MFA.
4) Test MFA by signing out of your AWS account and signing back in using the MFA code from the  google authenticator app.

Step One: Login To AWS And Open IAM

1) Click HERE to go to the aws management console, select the ROOT USER radio button and type your email address on the ROOT USER EMAIL ADDRESS text box

Click on NEXT to proceed.

If you do not have an AWS account click on the CREATE AWS ACCOUNT BUTTON. Please note that a working VISA or MASTERCARD is needed inorder to sign up for a free AWS account.

2) Once you have logged into the AWS MANAGEMENT CONSOLE click on SERVICES and use the search bar at the top of the page to search for IAM.

Click on the IAM search result to open the IAM MANAGEMENT CONSOLE and on the SECURITY STATUS options click on the ACTIVATE MFA ON YOUR ROOT ACCOUNT drop down then click MANAGE MFA.

3) On the YOUR SECURITY CREDENTIALS click on the MULTI-FACTOR AUTHENTICATION (MFA) dropdown and click on ACTIVATE MFA. A MANAGE MFA device dialogue box will be displayed.

4) On the MANAGE MFA device dialogue box, select the type of MFA device that you would like to use. In this case select the VIRTUAL MFA DEVICE option and click on CONTINUE. AWS also supports other types of MFA devices such as SECURITY KEYS AND SMART HARDWARE devices.

5) If you are interested in using a dedicated MFA security key or smarket device you can purchase it online or at a local IT consumables retail store in your area. To give you an idea and rough estimate of how much an MFA device could cost, an MFA USB key costs about $15 USD or more and a smart OTP / MFA device costs about $35 USD on the AMAZON online store.

Step 2: Download An Authenticator App On Your Phone.

 6) If you are using an android device open the google play app and search for Google Authenticator, Select the Google Authenticator app as show on the image on the right and click on INSTALL. If you are using an iPhone open that app store, search for and install the Google Authenticator app

7) Click on the SHOW QR CODE link, open the GOOGLE AUTHENTICATOR application and from the app click on the SCAN A QR CODE option. Point the camera on the AUTHENTICATOR app to the barcode and if the scan is successfull, the AUTHENTICATOR app will indicate that the AWS ACCOUNT HAS BEEN ADDED.

Type in two consecutive codes displayed by the authenticator app on the MFA CODE 1 and MFA CODE 2 text input boxes and click on the ASSIGN MFA button.

 

8) When the MFA setup process is complete a popup message will be displayed notifying you that you have successfully assigned a virtual MFA device. Click on the CLOSE button and to try out the MFA sign in process, log out of your AWS account.

 

9) When you try to log back in AWS will first ask for the email address and password to your AWS account. Just before completing the sign in process AWS will notify you that the account is secured using multi-factor authentication (MFA) and ask you to check your MFA device and type the authentication code.