Demo MFA and Password Policies

In this tutorial, you’ll learn how to secure your AWS environment by enabling Multi-Factor Authentication (MFA) for IAM users and enforcing custom password policies in the AWS Identity and Access Management (IAM) console.

Configuring MFA for an IAM User

Sign in to the AWS Management Console and open the IAM dashboard.
Select Users in the navigation pane to view all IAM accounts.

The image shows an AWS Identity and Access Management (IAM) dashboard displaying a list of users with details such as username, path, groups, last activity, MFA, and password age.

Click on the user John, then open the Security credentials tab.
Under Multi-Factor Authentication (MFA), click Assign MFA device.

The image shows an AWS Identity and Access Management (IAM) console screen, focusing on multi-factor authentication (MFA) settings for a user, with an option to assign an MFA device.

Provide a Device label (for example, “MFA”) and choose your device type from the table below:

Device Type	Description
Virtual MFA device	Software authenticator (Google Authenticator, Authy, Duo Mobile)
Security key	FIDO2/WebAuthn hardware key
Hardware TOTP token	Physical token generating time-based codes

The image shows an AWS IAM interface for selecting a multi-factor authentication (MFA) device, with options for an authenticator app, security key, and hardware TOTP token.

Note

Make sure your chosen authenticator app supports Time-based One-Time Passwords (TOTP).

To set up a Virtual MFA device:
- Install and open a compatible authenticator app.
- Scan the QR code displayed in the console.
- Enter the two consecutive codes from your app (MFA Code 1 and MFA Code 2).
- Click Assign MFA to finalize.

Warning

If you lose access to your MFA device and haven’t saved the seed key, you may need to contact your AWS account administrator or use your root credentials to regain access.

Customizing Password Policies

In the IAM console, select Account settings to view the Password policy section.
Review the default requirements, which ensure basic password strength:

Requirement	Default Setting
Minimum length	8 characters
Character categories	At least 3 of: uppercase, lowercase, numbers, special characters
Exclusions	Cannot match username or email address
Password expiration	Disabled
Password reuse prevention	None

The image shows an AWS Identity and Access Management (IAM) account settings page, detailing the default password policy requirements, including minimum length and character types.

Click Edit, select Custom, and modify settings such as:
- Minimum password length
- Maximum password age
- Required character types
- Prevent password reuse

The image shows an AWS IAM password policy settings page, where custom password requirements can be configured, including minimum length and strength criteria.

Once you've tailored the policy to your organizational standards, click Save changes. All IAM users will now be subject to the updated policy.

Links and References

Watch Video

Watch video content