Cloud Security and Multi-Factor Authentication (MFA)

In our previous post, we began the series on Cloud Security Best Practices, with the overall goal to help you improve the security posture of your cloud environments. We began with the very foundation of cloud security for users, which is the Shared Responsibility Model.

In today’s post, we’ll discuss MFAs, the importance of them, and how to set them up on your AWS Management Console.

Multi Factor Authentication
Let’s begin with the simple authentication process.

Authentication happens when a user tries to login to a system (network, device or application). The system then requires the user to provide the identity by which the user is known by the system, along with a form of evidence of the authenticity of the user’s claim to that identity –such as passwords (text, thumbprint, eye scan, etc). A simple authentication will require just one piece of this evidence (factor).

With the increasing number of stolen digital identities to gain wrongful access, the 2 factor authentication became widely accepted, and has now become the standard form of authentication within many digital systems. Your email verification, Bank OTP, and most recently Meta's adoption of full on MFA policy on all Meta social accounts; MFAs have come to stay! Quite frankly, rightly so!

The use of MFAs is to prove one’s identity based on the proposition that a bad (unauthorised) actor is unlikely to be able to provide the factors required for access.

How MFAs work…
In an authentication attempt, if one of the factors required is missing or provided incorrectly, the user’s identity is not ascertained with enough evidence, and access to the system (in our case your AWS Management Console), being protected by an MFA, then remains blocked!



MFAs could be: Something the user has: Any physical object in the possession of the user, such as a security token (USB stick), a bank card, a key, etc. Something the user knows: Certain knowledge only known to the user, such as a password, PIN, etc. Something the user is: Some physical characteristic of the user (biometrics), such as a fingerprint, eye iris, voice, typing speed, pattern in key press intervals, etc. Somewhere the user is: Some connection to a specific computing network or using a GPS signal to identify the location.

Setting Up MFA on Your AWS Management Console
AWS offers 3 main MFA methods. They are:

1. FIDO Security Keys
2. Virtual Authenticator Apps: Twilio Authy Authenticator, Duo Mobile, LastPass Authenticator, Microsoft Authenticator, Google Authenticator, Symantec VIP
3. TOTP Hardware Tokens

You can learn more about AWS Available methods here.

How To Setup MFA on My Account
Here’s a step by step guide on setting up MFA on your AWS account:

Step 1: Log into your account


Step 2: Navigate to ‘My Security Credentials’


Step 3: Click on ‘Assign MFA’


Step 4: Choose MFA type


Step 5: Scan QR Code and Input Generated Keys

If you choose ‘Virtual MFA’ and you decide to use the Google Authenticator App for a start, Scan QR code, and the Google Authenticator app should generate unique authenticator keys; input them in the boxes, and click on ‘Assign MFA’. And you should be all set.That easy! The next time you log into your Management console, it should require an MFA to grant you access. All you need to do is to go to your MFA device, and input unique generated key here as seen in the image below

Wendu and MFA Enforcement
Now, it’s one thing to have written down in your security and compliance policy book that every staff that has access to your organisation’s AWS management console must have MFA enabled with their login credentials, making sure that this policy is enforced is another thing entirely. This is where Wendu comes in. Wendu’s IAM Exposure dashboard gives management and teams information on how many accounts within their teams have disabled MFAs; and not just that, but which accounts are not adhering to the MFA policy within the team, as shown in the images below.

Wendu is revolutionising cloud security through SecFinOps and agentless security - enabling teams to collaborate, take ownership, and become accountable for their cloud estates and environments in terms of security, spend, quality and speed.

Learn more about Wendu here, and you can also request a demo to see Wendu in action.