As an additional mechanism to keep your account secure, AWS offers Multi-Factor Authentication (MFA). Using this is a necessity, not only for your root user, but also for any IAM users that have administrative privileges on your account.
MFA takes advantage of a Time-based One-time Password (TOTP), which provides a variable six-digit PIN that updates every thirty seconds. Both the server and your MFA device run identical mathematical algorithms, based on identical seed values (very long codes matched up at initialization time), to yield a number that varies over time, but matches on the client and the server.
Amazon supports two types of MFA devices: "hardware" (a physical device with a numeric display) or "virtual" (an app that runs on a mobile device). Please note that if you use a mobile device for a "virtual" MFA, it's important that you not use that mobile device to sign in to AWS with your root user, since then both sign-in factors (root password and TOTP) will be on one device, effectively reverting back to "SFA" (single factor authentication), with the single factor in someone else's hands if your mobile device is ever stolen/hacked. (It may even be unwise to access the email account associated with your AWS account using that mobile device, since the email account can be used to change the password.)
Whichever MFA type you select, it would be best to have it ready ahead of time, so that when you create your account you won't be inclined to skip that step. For a physical MFA device you would purchase it from Gemalto. For a virtual MFA device you would install the appropriate TOTP app (and probably also a QR code reader app that will allow you to scan the very long initial key from the screen, to save you from having to type it all in).
Note that, although you can actually change the root password without the MFA device (by following a password-reset link received from email), you can't alter/disable the root user MFA functionality that way. For that you would have to be signed in as the root user, which requires a correct TOTP from the MFA device.
However, if the MFA device for the root user ever malfunctions or is lost, you must contact Amazon to remove the MFA restriction from the root user on the account. Amazon will contact you (via email or phone) and you will need to verify the answers for the three "security challenge questions" that you set up when first creating your account.
Note - although setting up the security challenge questions and answers is actually optional, it's very important to complete that section. Of course, the answers you list don't have to be honest or accurate (and, in fact, probably shouldn't be, otherwise they would be vulnerable to social engineering), they just have to be something you can reply accurately with. Whatever you come up with, write them down and store them securely.(Jump to Part 4, Wrapping Up)
No comments:
Post a Comment