AWS Identity and Access Management Supports Multiple MFA Devices - TechDecisions

AWS is making it imaginable to adhd aggregate MFA devices to AWS Account basal users and AWS Identity and Access Management users.

November 17, 2022 Zachary Comeau Leave a Comment

Amazon Web Services (AWS) is making it imaginable to adhd aggregate multi-factor authentication devices to AWS Account basal users and AWS Identity and Access Management (IAM) users successful their AWS accounts successful a determination to assistance bounds entree absorption to highly privileged principals.

Previously, organizations could lone person 1 MFA instrumentality associated with basal users oregon IAM users, but present they tin subordinate up to 8 MFA devices, the institution announced this week.

The unreality services supplier recommends against utilizing basal users oregon IAM users to negociate entree to accounts, and alternatively organizations should usage AWS IAM Identity Center, the company’s successor to AWS Single Sign-on, to negociate entree to accounts.

AWS says it supports 3 types of MFA devices oregon IAM: FIDO information keys, virtual authenticator applications and time-based one-time password (TOTP) hardware tokens. Different types of MFA devices tin beryllium associated with an IAM principal.

According to AWS, these are the usage cases for utilizing aggregate MFA devices with an IAM principal:

• In the lawsuit of a lost, stolen, oregon inaccessible MFA device, users tin usage 1 of the remaining MFA devices to entree the relationship without performing relationship recovery. AWS recommends disassociating the mislaid oregon stolen instrumentality signifier the basal users oregon IAM users it’s associated with.
• Geographically distributed oregon hybrid teams tin usage hardware-based MFA to entree AWS without having to vessel a instrumentality oregon coordinating carnal speech of a instrumentality betwixt employees.
• If the holder of an MFA instrumentality isn’t available, organizations tin support entree to basal users and IAM users by utilizing a antithetic MFA instrumentality associated with an IAM principal.
• Organizations tin store further MFA devices successful a unafraid carnal determination portion retaining carnal entree to different MFA instrumentality for redundancy.

This diagnostic is disposable present successful each AWS Regions, but AWS GovCloud (US) Regions AWS China (Beijing) Region, operated by Sinnet, and the AWS (Ningxia) Region, operated by NWCD, the institution says.

Learn much successful this AWS blog post.