AWS Root User MFA

When you set up a new AWS account, the first user that is created is your root user. This user should rarely be used and should be secured as much as possible (since it has full access to everything in your new account). Besides a strong password, you should always set up Multi-Factor Authentication (MFA) for the root user. This post will go over how to set up MFA using the AWS console for the root user.

This is a post in the "Blog on a Budget" series.


Table of Contents


Set the Root User MFA

  1. If you aren't already logged into your AWS account as the root user, go ahead and do so now.

  2. Once you are logged into the AWS Console as the root user, you will want to select the menu in the upper-right-hand corner of the console. Then you will want to select Security Credentials from the menu:

AWS Console Homepage

  1. This will then bring you to the Security Credentials page:

Root User Security Credentials

  1. Once on the Security Credentials page, if you don't have an MFA device assigned, you will see a block that notifies you that You don't have MFA assigned with a button to the right with the text Assign MFA.

  2. Select the Assign MFA button and a Select MFA device page will be loaded:

MFA Device Name

  1. On the above page, you will want to fill in a name for the MFA device that you will be using. In this example, the name Personal_Mobile is being used.

  2. You then have three different options for the type of MFA device to be used. I prefer to use an authenticator application for this purpose, and that is the only type of device we will cover in this post. If you don't already have an MFA application that you use, here are a few examples:

  3. Once you have your authenticator application ready, select the orange Add MFA button at the bottom of the page.

  4. This will bring you to a page that will have a square box which will display a QR code when you click on it:

MFA QR Code Page

  1. Now get your authenticator application ready to scan a QR code and select the Show QR code box. This will display a QR code for you to scan.

  2. Scan the QR code with your authenticator application and a code should now appear on your authenticator application with a default title that helps you identify it. This will be a six-digit code that rotates at a regular interval.

  3. You then need to enter two consecutive codes from the authenticator application into the MFA code 1 and MFA code 2 fields. The first code doesn't need to be the very first one that came up on the application, but the two codes you enter need to be consecutive.

  4. Once you have entered in the codes, select the orange Add MFA button.

  5. If you have done everything correctly, you will then be sent back to the Security Credentials page:

Root User Security Credentials Confirmation

At this point, you now have multi-factor authentication set up correctly for your root user.


NOTE: If an error was reported, it is usually because the MFA codes were not entered correctly. You should be directed to enter the codes again.


Test the Updated Credentials

  1. If you are still logged into your account, go ahead and log out.

  2. Once you are logged out, you should see a page like the following which has an orange Log back in button:

Log Back In

  1. Select the Log back in button.

  2. This will then bring you to a Sign in page which has the Root user box highlighted:

Email Address

  1. On the above page, enter your root user email address in the Root user email address field.

  2. Select the Next button.

  3. This will bring you to the password page:

Password

  1. In the above page, fill in the password for your root user for this AWS account.

  2. Once you have the correct password entered, select the Sign in button.

  3. Instead of logging you in, like it would have done before, you will now go to a Multi-factor authentication page:

MFA

  1. In the above page, enter the current six-digit code that is appearing in the authenticator application.

  2. Once you have entered the correct code, select the Submit button.

  3. If you have entered all of the credentials correctly, you will be logged into the homepage of your AWS console.

At this point, you have now successfully added and tested your MFA credentials.


Conclusion

Now that you have an MFA device assigned to your root user for your AWS account, it will be much harder for hackers to break into your account using the root user credentials.

If your authenticator application allows you to back up your MFA code, you may want to consider it, as you won't be able to get into your root user account if you do not have the current MFA code.