Learn AWS: Account Security

Multi-Factor Authentication AKA Security First

Generally speaking, in AWS you are billed monthly based on what you use hourly. AWS EC2, the service that powers virtual environments, offers a wide range of “instances” starting from 0.006$/Hour to ones that cost 13$/Hour, so it’s clear that if someone hacks your account and order some servers while you are sleeping you could find a bad news in the morning.

That’s why AWS strongly suggests you to configure MFA.

What is MFA?

Multi-Factor Authentication increase the security of your account, requiring you to insert a temporary code, during the login, generated from a MFA Device (like the one used with bank accounts) or your smartphone.

How to enable MFA

After logging in, go to Security Credentials in the upper-right corner Account menu Account Menu

AWS will ask you to setup and use IAM, another security feature that helps you to create accounts with limited permissions, but for now just click on Continue to Security Credentials IAM Pop-up

Then open the MFA section and select Activate MFA Activate MFA

You’ll have 2 options:

  • A virtual MFA device (Google authenticator or similar)
  • A hardware MFA device (Key fob for $12.99)

Select Virtual MFA Device and install


Launch the application and point the camera to the QR-code on the screen, then insert two consecutives codes generated by the application and you’re done, the next time you’ll login AWS is going to ask . QR-Code

Identity and Access Management IAM

If you are using AWS in a team or a company, you have to make sure that each member has a user with only the necessary permissions, that’s why AWS offers you IAM.

What is IAM?

With IAM you have the ability to create Users, Groups, Roles, Policies and manage them.

How to use IAM

After logging in, go to Security Credentials in the upper-right corner Account menu Account Menu

If you have not done it before, AWS will ask you to setup and use IAM, click on Get Started with IAM Users IAM Pop-up

IAM Dashboard

Security Status

This section of the IAM Dashboard helps you to follow initial security best practices

Delete root access keys

You should delete access keys on the root account to prevent external API call with your root account and use IAM users instead.

Activate MFA on your account

By now you should have a green mark on this one because we have already activated MFA on the root account.

Create individual IAM Users

Create a User for any person that need access to this AWS account, even you.

Use groups to assign permissions

Assign permissions to Groups and not Users

Apply an IAM password policy

Require all IAM Users to use strong passwords configuring a password policy

Now that you have secured your account you can sleep soundly.