Multi-Factor Authentication (MFA) adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS console, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device. It is recommended that MFA be enabled for all accounts that have a console password.
Enabling MFA provides increased security for console access as it requires the authenticating principal to possess a device that emits a time-sensitive key and has knowledge of a credential.
Protect your environment by using MFA, a security feature available at no extra cost that augments user name and password credentials. MFA requires users to prove physical possession of a hardware MFA token or MFA-enabled mobile device by providing a valid MFA code.
By default, AWS will not enable MFA for any user, as per your security concern you can enable it anytime. To do follow the steps below.
Using AWS Console:
Perform the following to determine if an MFA is enabled for all IAM users having a console password:
Using AWS CLI:
Download the credential report
aws iam get-credential-reportCheck the mfa_active column, if you found the status as false it means MFA is not enabled for that user
Using AWS CLI:
aws iam enable-mfa-device
If you want to remove MFA for the user follow the same steps in the Implementation section and in the MFA section select the device type and click Remove.