by Svitlana Ostnek
EPAM Cloud supports three ways to get access to Amazon Web Services facilities: Maestro CLI tools, temporary AWS Console access, and, in case permanent and/or advanced access is necessary - access via IAM user. The first two options, in terms of security, are of low risk, as the scope of allowed operations is limited by EPAM Orchestration, or the access is temporaty and limited.
Meanwhile, providing a constant IAM User access enables more possibilities, but it raises the need to pay close attention to account security. One of the ways to avoid unauthorized access to accounts is activating AWS multi-factor authentication (MFA) which provides an additional authentication point - a code that is received to a verified device and is necessary to complete the AWS login procedure.
For IAM users created to access AWS within EPAM Cloud, virtual MFA devices approach is supported. The user requests the virtual MFA device creation via AWS Management console. The device generates a numeric code (six digits) that should be entered during the second step of the sign in procedure. The code is changed regularly.
To activate the MFA for your IAM user and set up the connection, please, follow the instructions below:
- 1. Install a Virtual MFA Application to your smartphone. You can find the list of applications available for different smartphones on this page. In this document, we used Google Authenticator application.
- 2. Login to AWS Management Console IAM page with the credentials provided to you at IAM user activation.
- 3. Using the navigation pane, go to the Users tab.
- 4. Find your user name and click it, e.g:
- 5. In the Security Credentials tab, Click 'Manage MFA Device'.
- 6. In the 'Manage MFA Device' wizard, select 'A virtual MFA device' and click 'Next Step'.
- 7. On the following step, verify that you have an MFA application installed on your smartphone, and click 'Next Step'.
- 8. The next step will include a QR code and two fields for authentication code input:
- 9. Use the MFA application on your smartphone to read the QR code on the next step. For example, if you use the Google Authenticator, click 'Scan a barcode'. Please note that if you don't have a proper scanner application, the Authenticator can suggest installing it.
- 10. As soon as the provided QR code is scanned, you get your account name registered in the application, and the dynamic password provided:
- 11. The password changes frequently. Take two consecutive values and enter them to Authentication Code 1 and 2 fields in the 'Manage MFA Device' wizard.
- 12. After that, you get logged in to your AWS IAM account.
Using MFA improves your account security, as the threat caused by potential credentials leak is minimized with the second authentication tool. All AWS IAM users, who get access to AWS via EPAM Orchestration, must have the MFA activated.