avatarTeri Radichel

Summary

The web content discusses the new capability of adding multiple Multi-Factor Authentication (MFA) devices to a single AWS IAM user account for enhanced security and flexibility.

Abstract

The article titled "Multiple MFA Devices for AWS IAM" by Teri Radichel highlights the recent update in AWS IAM that allows users to associate more than one MFA device with an IAM user account. This feature is beneficial for scenarios where a primary MFA device is lost, damaged, or inaccessible, ensuring that users can still authenticate using a backup device. Radichel emphasizes the utility of this update by sharing a personal anecdote where a Yubikey was nearly destroyed, underscoring the importance of having a secondary authentication method. The article also explores the practicality of using different MFA devices for web console access and automated processes, thereby compartmentalizing access controls and reducing the attack surface. Radichel demonstrates the process of adding a hardware MFA device alongside an existing virtual MFA device through the AWS Console, illustrating the ease of managing multiple MFA devices. The article concludes with a note on future exploration of limiting specific MFA devices to certain types of access, further enhancing security in AWS environments.

Opinions

  • The author, Teri Radichel, expresses enthusiasm about the ability to add multiple MFA devices to an AWS IAM user account, considering it a significant security enhancement.
  • Radichel shares a real-life scenario where a backup MFA device proved crucial, reinforcing the practical need for this AWS IAM feature.
  • The author prefers using a Yubikey for AWS Console access but opts for a virtual MFA device for automation, indicating a preference for hardware tokens for web-based interactions and software tokens for programmatic access.
  • Radichel notes initial confusion with the AWS Console interface when trying to add multiple MFA devices, suggesting there may have been a caching issue or ongoing updates by AWS at the time of her testing.
  • The article conveys the author's interest in further researching the potential to restrict automation access to a specific MFA device while using a different device for console access, highlighting her commitment to continuous improvement in AWS security practices.

Multiple MFA Devices for AWS IAM

ACM.120 Add more than one MFA device to an AWS IAM account for different purposes or in case of a lost device

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

⚙️ Check out my series on Automating Cybersecurity Metrics. The Code.

🔒 Related Stories: MFA | Passwords | IAM | AWS Security | Okta

💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I’m thrilled to see that we can now add multiple MFA devices to a user in AWS IAM. I’m stopping in the middle of another blog post to try it out. AWS SSO already allows multiple keys but there are a few things you can’t do with AWS SSO and may still want to use AWS IAM in some cases as explained in this blog series.

Why you might want multiple MFA keys for your AWS IAM account

I spoke about why this feature is needed at the AWS Atlanta Summit earlier this year. Let’s say you use a Yubikey and you have a crazy dog like the one we just got it might be running around by your computer and break your Yubikey. You can use a backup device to access your account.

In fact, earlier this year my husband was goofing around when I was working on my computer and I almost completely destroyed a Yubikey. Luckily it had two ends and the one that worked in my mobile phone still worked so I could still get into some of my accounts that used that key.

There’s also the possibility that you could lose your key or it simply stops working. What about your root account? Perhaps you have two different keys stored in two separate places in case one or other locations is affected by a disaster.

Separate MFA devices for automation and the AWS Console

I explained why I don’t use Yubikeys with the AWS CLI here:

Although I don’t want to install the Yubikey CLI if I don’t have to on my primary work machine, I do like using a Yubikey best to login to websites.

It would be great if I could use a Yubikey for the AWS Console (web site) but a virtual MFA device for automation. That’s what I’m going to try out.

Adding a Yubikey to our IAM User account

We used CloudFormation to deploy a user account.

I explained how to use MFA with the AWS CLI in this post with virtual MFA:

In this post we used CloudFormation to auto-generate a password to use with the AWS console.

We leverage the AWS Console to enforce access to a user-specific AWS Secrets Manager Secret using MFA. Because I could only add one MFA device to our user I have been using the virtual MFA device to log into the console and with automation.

Now I want to know if I can use a separate device for the AWS Console and automation.

Adding a second MFA device in the AWS Console

Login to the AWS Console.

Click on the user for whom you want to add the second MFA device.

Note that the first time I logged in and looked at the screen where you 
can edit MFA, I initially did not see the new screen. I could only add 
one device. I added a new user and there I could see the new screen.
Then I looked at a different user that had MFA assigned and there was no 
MFA device assigned! What? Not to worry. Clicking around some more, I 
was able to see the new MFA screen and all the existing MFA devices 
were present. It could be that AWS was rolling out updates or a caching
issue but just click around a bit and you should be able to see the screen
below if you don't at first for an existing user.

MFA devices have moved to a list under the user password section.

We already have a virtual MFA device assigned.

Let’s see if we can add a hardware device also. Click “Assign MFA Device.”

Enter a Name. Select Security key.

After entering the pin for my device and clicking the buttom I now have two different types of MFA devices associated with the developer account.

If you recall from the post on using MFA with the CLI you specify a particular MFA device to use with a profile. For our Developer user, we can specify the virtual MFA device as our MFA device for automation.

Now you can test logging into the AWS Console using your new hardware MFA device assigned to the Developer IAM user.

One thing I would like to explore further: the ability to limit automation to a specific MFA device and console access to another.

Follow for updates.

Teri Radichel | © 2nd Sight Lab 2022

About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab
Need Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for Presentation
Follow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab
MFA
AWS
Iam
Cloud Security
2 Factor Authentication
Recommended from ReadMedium