I have been managing an AWS account for about a year. Typical "best practices" security setup:
1 Root Account
Multiple non-Root accounts, including the one I use on a daily basis
All accounts using MFA (I personally use the Google Authenticator app)
I would like to now transfer "ownership" of this entire AWS account (Root account & all) to someone else. While I can certainly give them the username + password to login as Root, they will need MFA setup as well.
The only way I can think of handling this is to:
Disable MFA on the Root account
Give them the logins for the Root account
Trust that they will re-enable MFA as soon as possible
Does the AWS web console provide any better solutions? I'm not even sure if its possible to disable MFA on an account (let alone Root) once its set...
Thanks in advance!
To deactivate the MFA device for your AWS account root user (console)
Use your AWS account root user credentials to sign in to the AWS Management Console.
Important
To manage MFA devices for the AWS account, you must sign in to AWS with your AWS account root user credentials. You cannot manage MFA devices for the root user with other credentials.
On the navigation bar, choose your account name, and then choose My Security Credentials. If a prompt appears, choose Continue to Security Credentials.

Expand the Multi-Factor Authentication (MFA) section.
In the row for the MFA device that you want to deactivate, choose Deactivate.
The MFA device is deactivated for the AWS account
You asked three questions.Let us look on by one
1.Disable MFA on the Root account
To deactivate the MFA device for your AWS account root user (console) follow these steps
Sigin to your AWS Account with Root Creds
On the right corner of navigation pane you can see the My Security Credentials
Select Multi-Factor Authentication
Then mark it as Deactivate against your MFA Device
2.Give them the logins for the Root account
For this you follow this AWS documentation which clearly shows How do I transfer my account to another person or business?.For this there is no need of Technical support package, your Basic Support package is enough.
3.Trust that they will re-enable MFA as soon as possible
For this you have to ask them whoever you are transferring the account to enable the MFA. You can also teach them the need of MFA and it's security needs.
As mentioned, it's possible to remove an MFA from an account once it's been added. You also have two options for transferring the root account with MFA enabled:
If the account is worth the investment, buy and use a hardware MFA. Then transferring the account involves physically transferring the MFA device.
If you want to keep using a virtual device, remove the MFA from the root account and re-add it. While scanning the QR code with your own Authenticator app, take a screenshot of the QR code and store it securely (ideally, print it on paper and immediately destroy any digital copies), or press "Show secret key for manual configuration" and write down on paper the long seed string. The QR code or seed string can be scanned or entered to seed the same OTP number-stream onto the new owner's Authenticator app. Obviously, be aware that if stolen the same data can be used to seed the same stream by anyone, including an attacker, so keep it secure.
Related
I want to setup MFA to other IAM users in AWS? Is there a way to do that? I only found that I could force them to authenticate themselves but is there a way for an administrator to setup MFA for other IAM users?
This can be done from the console, but you must be aware that you will need a device to bind it to that the user if they are to be able to login.
To do it you will need to go to the IAM console:
Go to the IAM console
Click the Users menu item.
Click on a User name link
Click the Security credentials tab
Next to the Assigned MFA device label click Manage
You can now sort out the MFA for the user
The administrator would need access to perform this action in IAM.
Just in case you are not aware you can also use the policy on the AWS: Allows MFA-Authenticated IAM Users to Manage Their Own MFA Device on the My Security Credentials Page page to prevent a user from doing anything whilst they do not have an MFA attached.
I dont think so this is possible.
You can enable it for a user but the user needs to go through the steps to establish the MFA.
It defeats the purpose of MFA if a third person has access to it, therefore industry best practice is for a user him/herself to set it up.
MFA details in AWS document link below: https://aws.amazon.com/iam/features/mfa/
I have a aws account and enabled the MFA for root user. By chance, if my phone got damaged or stolen then how will I login to my aws account with root user because it will ask for MFA.
Any IAM user can login to console but it can not disable the MFA for root user even this user has "Administrator Access".
Is there any way to login to aws account if MFA enabled device got lost?
If you have access to the phone number and email address associated with the AWS root account, you can go through an automated process of verifying you're the account owner, deactivating your MFA, logging in w/out MFA, and activating a new MFA virtual device. More info at: https://aws.amazon.com/blogs/security/reset-your-aws-root-accounts-lost-mfa-device-faster-by-using-the-aws-management-console/
As mentioned in the blog post, if you don't have access to the phone number for the root account or didn't associate a phone number with your root account when you signed up, you'll have to contact AWS support and have access to your email address that's associated with the AWS root account.
You could avoid all of this by making a copy of your MFA QR code and storing it in a secure place, like a fireproof safe, and setting up a new virtual device with your stored QR code without having to perform any interventions to deactivate your AWS root account's existing MFA activation.
You can contact the AWS support and explain the situation. They may provide the verification code to the "email" that you have registered on creating the AWS account.
When creating a new user in AWS IAM using web console, for a person that is remote (say, in another country, where the Administrator has no practical access to the new User's smartphone), how can the user account be created so that Virtual MFA is required?
Requiring Virtual MFA is easy when the smartphone is present at the time & place the User Account is created (scan the barcode in the Virtual MFA, then enter two consecutive codes), but it's unclear how this works when the device is not proximate to the Administrator.
Does the MFA "Secret Key" have anything to do with this use case?
REGRETS in advance prior to posting this question, I did RTM, yet I am unable to find a clear answer.
While creating IAM users, you can enable your users to configure their own credentials and MFA settings.
For step by step guidance, refer this tutorial from AWS.
This is how I solved it,
Send the QR Code as image to the user.
Ask the user to send two consecutive codes from their smart phone.
Enter then into your IAM configuration. All Set and good to go.
Ia m trying to enforce all users to setup MFA login when they sign up. Is this something that is possible in AWS and how or where are the instructions to do this?
Sort of. You can essentially block non-admin users from making API calls without using MFA. There's a section about setting this up in this AWS blog post. The blog post describes how to give someone access to setup MFA, and require MFA for every other interaction with the AWS API. I think this will require MFA to be used with calls from the SDK and CLI as well, so it might not be exactly what you want.
Also, I say this is only for non-admin users, because admin users would have the ability to go in and disable the MFA restriction on their account.
This is difficult to do because the MFA device needs to be setup and once you do that, you need to enter information from the device. Usually you have to enter two tokens in sequence to "synchronize" the device.
So you can't setup a virtual MFA for a user without the user. However, if you had a hardware MFA device (see https://aws.amazon.com/iam/details/mfa/) then you could setup the user and the device and then give the user the device.
It's not perfect by any means.
Yes, this can definitely be done! Of course, admin and root users are able to disable the policy, but if you so desire, you can also limit who can update or disable the policy. When the enforcement policy is in effect, when the user logs in the only thing they have access to do is to enable the MFA for their IAM user. Once they then re-login with MFA enabled, they have the access they've been issued with the IAM policies/group memberships, etc.
It is not possible to enforce MFA only in the AWS web console, because the web console is essentially a front-end to the APIs which the AWS CLI tool also accesses. Starting and managing MFA (and role) sessions on the command line is a rather convoluted process, so you may be interested in a utility whose 2.0 version I just released. It makes it very easy to start and manage MFA and role sessions. I have also included an example enforcement policy that has been carefully built to work with the utility. A companion script is also provided to make it easy to enable/assign an MFA device from the command line (e.g. for the users who don't have web console access).
You can find the utility, more information about it, and the example policies in my GitHub at https://github.com/vwal/awscli-mfa
The following snippet is from AWS docs, if sharing credentials is not the right way. Does it involve additional charges for adding IAM to support multiple developers.
Without IAM, if you want to enable other users to access your AWS
resources, the only way is to share your AWS account credentials. We
do not recommend this approach. Your account credentials enable access
to all AWS resources associated with your account, including your
billing information. For this reasons, we recommend that you never
share your AWS account credentials.
There is no additional charge for IAM service. Please see following link: http://aws.amazon.com/iam/#pricing
To confirm it once again, you can check AWS monthly calculator at following link:
http://calculator.s3.amazonaws.com/calc5.html. I don't see any charges for IAM service at here as well.
What that text is explain is that any user who has access to your account email login can change ANYTHING on your account. They could change your password and lock you out. There's no easy way to recover your account. A person from the billing department could accidentally or maliciously terminate your servers or delete S3 data. They're warning you that its not a good idea to give anyone but yourself access to the email login.
With IAM you can enable almost all the permissions that the email login has. The exceptions are changing the account credentials and personal information. Each user will be provided with their own username and password for access to the console and can be assigned a new set of Access Keys or x509 certificates if required.
There's no cost or downside to using IAM and its highly recommend for security reasons.