AWS - IAM

IAM Policies Federation STS and MFA

Demo MFA and Password Policies

In this tutorial, you’ll learn how to secure your AWS environment by enabling Multi-Factor Authentication (MFA) for IAM users and enforcing custom password policies in the AWS Identity and Access Management (IAM) console.

Configuring MFA for an IAM User

  1. Sign in to the AWS Management Console and open the IAM dashboard.
  2. Select Users in the navigation pane to view all IAM accounts.

The image shows an AWS Identity and Access Management (IAM) dashboard displaying a list of users with details such as username, path, groups, last activity, MFA, and password age.

  1. Click on the user John, then open the Security credentials tab.
  2. Under Multi-Factor Authentication (MFA), click Assign MFA device.

The image shows an AWS Identity and Access Management (IAM) console screen, focusing on multi-factor authentication (MFA) settings for a user, with an option to assign an MFA device.

  1. Provide a Device label (for example, “MFA”) and choose your device type from the table below:
Device TypeDescription
Virtual MFA deviceSoftware authenticator (Google Authenticator, Authy, Duo Mobile)
Security keyFIDO2/WebAuthn hardware key
Hardware TOTP tokenPhysical token generating time-based codes

The image shows an AWS IAM interface for selecting a multi-factor authentication (MFA) device, with options for an authenticator app, security key, and hardware TOTP token.

Note

Make sure your chosen authenticator app supports Time-based One-Time Passwords (TOTP).

  1. To set up a Virtual MFA device:
    • Install and open a compatible authenticator app.
    • Scan the QR code displayed in the console.
    • Enter the two consecutive codes from your app (MFA Code 1 and MFA Code 2).
    • Click Assign MFA to finalize.

Warning

If you lose access to your MFA device and haven’t saved the seed key, you may need to contact your AWS account administrator or use your root credentials to regain access.

Customizing Password Policies

  1. In the IAM console, select Account settings to view the Password policy section.

  2. Review the default requirements, which ensure basic password strength:

RequirementDefault Setting
Minimum length8 characters
Character categoriesAt least 3 of: uppercase, lowercase, numbers, special characters
ExclusionsCannot match username or email address
Password expirationDisabled
Password reuse preventionNone

The image shows an AWS Identity and Access Management (IAM) account settings page, detailing the default password policy requirements, including minimum length and character types.

  1. Click Edit, select Custom, and modify settings such as:
    • Minimum password length
    • Maximum password age
    • Required character types
    • Prevent password reuse

The image shows an AWS IAM password policy settings page, where custom password requirements can be configured, including minimum length and strength criteria.

  1. Once you've tailored the policy to your organizational standards, click Save changes. All IAM users will now be subject to the updated policy.

Watch Video

Watch video content

Previous
MFA and Password Policies