Implementing Password Policies and Multi-Factor Authentication (MFA) in AWS

This guide provides step-by-step instructions for configuring a password policy and setting up MFA in AWS to secure your account effectively.

Step 1: Define a Password Policy

A password policy ensures strong credentials and enforces rules to improve account security. Follow these steps to define a password policy:

Steps to Configure Password Policy

1. Navigate to Account Settings:
   • Go to the IAM Console and click on Account Settings from the left-hand menu.
2. Locate Password Policy:
   • Find the Password Policy section and click Edit.
3. Customize the Policy:
   • Choose between the default password policy or configure a custom policy with the following options:
     • Minimum Password Length: Set a required number of characters.
     • Character Requirements:
       • At least one uppercase letter.
       • At least one lowercase letter.
       • At least one number.
       • At least one non-alphanumeric character (e.g., ?, @, #).
     • Password Expiration:
       • Set passwords to expire after a specified period (e.g., 90 days).
       • Enable administrative resets upon expiration if needed.
     • Allow Users to Change Passwords: Let IAM users update their own passwords.
     • Prevent Password Reuse: Block users from reusing previously used passwords.
4. Save Changes:
   • After customizing the policy, click Save to apply the settings.

Step 2: Enable Multi-Factor Authentication (MFA) for the Root Account

The root account is the most critical account in your AWS environment. Adding MFA ensures an extra layer of protection, combining something you know (password) with something you have (an MFA device).

Steps to Enable MFA

1. Access Security Credentials:
   • Log in as the root user.
   • Click on your account name in the AWS Management Console.
   • Select My Security Credentials.
2. Assign an MFA Device:
   • In the Multi-Factor Authentication (MFA) section, click Activate MFA.
   • Choose the type of MFA device:
     • Authenticator App (Virtual MFA Device):
       • Use apps like Google Authenticator or Authy.
       • This example uses an authenticator app.
     • Security Key (e.g., YubiKey).
     • Hardware TOTP Token.
3. Set Up the Authenticator App:
   • Open your authenticator app (e.g., Twilio Authenticator).
   • Select Show QR Code in the AWS Console.
   • Use your phone to scan the QR code displayed in AWS.
   • The app will add the AWS account and begin generating MFA codes in real time.
4. Verify the Device:
   • Enter the first MFA code displayed on the app.
   • Wait for the code to refresh, then enter the second MFA code.
   • Click Add MFA to complete the setup.
5. Confirm and Manage MFA Devices:
   • You can configure up to 8 MFA devices for the root account.
   • The newly added device will appear in the list, where you can rename or remove it as needed.