MFA adds an extra security layer because it requires users to provide unique authentication from an AWS-supported MFA mechanism in addition to their regu sign-in credentials when they access AWS websites or services. If Hacker finds out the password, it needs to pass through one extra layer: MFA needs a device for authentication.
By Default, MFA is not activated for any users if you want to activate MFA for the user you need to login into the root user account.
Perform the following setup to determine MFA in IAM users who contain AdministratorAccess policy:
Step 1: Sign in to AWS console as the IAM Admin user https://console.aws.amazon.com/iam/
Step 2: Click on Policy in the left navigation pane
Step 3: Click on AdministratorAccess
Step 4: In Summary, you click on the Policy usage tab in this tab you find which IAM entity is attached with this policy.
Step 5: For audit click on the IAM entity(Group or User) which is attached with this policy
Step 6: In the Summary part you click on the Security credentials tab
Step 6: We see in the Sign-in credential Assigned MFA device is assigned or not
Step 7: For auditing follow the step 3-6 for all other IAM users who contain AdministratorAccess policy.
Perform the following to determine if the root account has MFA setup in CLI:
Perform the following to establish MFA for the user
Step 1: Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
Step 2: Click on Users in the left navigation pane
Step 3: Click on the user who contains AdiministratorAccess policy and it is not assigned MFA
Step 4: In Summary, you click on Security credentials tab
Step 5: In the Assigned MFA device click on Manage
Step 8: Open your virtual MFA application here We use Microsoft Authenticator you can use anyone from the list which hosting virtual MFA devices, If the virtual MFA application supports multiple accounts( multiple virtual MFA devices), choose to create a new account (a new virtual MFA device).
Step 9: Determine whether the MFA app supports QR codes, and then do one of the following:
1. Use the app to scan the QR code.
2. In the Manage MFA Device wizard, choose the secret key for manual configuration and then type the secret configuration key into your MFA application.
Step 10: When you finished the virtual MFA device starts generating one-time passwords.
1. In the Manage MFA Device wizard, in the Authentication Code 1 box, type the one-time password that currently appears in the virtual MFA device and then wait up to 30 seconds for the device to generate a new one-time password. Then type the second one-time password into the Authentication Code 2 box. then click on Assing MFA
Step 11: You can see a successful message on your screen click on the close button