AWS Identity and Access Management (IAM) enables you to securely control access to AWS services and resources for your users. Using IAM, you can create and manage AWS users and groups and use permissions to allow and deny their permissions to AWS resources.

First time users should see the IAM Best Practices section of the IAM User Guide. To get started using IAM, sign in to the AWS Management Console.

IAM also enables identity federation between your corporate directory and AWS services. This lets you use existing corporate identities to grant secure access to AWS resources, such as Amazon S3 buckets, without creating new AWS identities for those users. To learn more, try our sample application.

AWS multi-factor authentication (MFA) is a simple best practice that adds an extra layer of protection on top of your user name and password. With MFA enabled, when a user signs in to an AWS website, they are prompted for their user name and password (the first factor—what they know), as well as for an authentication code from their virtual MFA device (the second factor—what they have). Taken together, these multiple factors provide increased security for your AWS account settings and resources.

You can enable MFA for your AWS account and for individual IAM users you have created under your account. MFA can be also be used to control access to AWS service APIs.

Virtual MFA Apps

You can install apps on your smartphone from the app store that is specific to your phone type. The following list shows some apps for different smartphone types:

Frequently Asked Questions When Provisioning a Virtual MFA Device

Q. What is a virtual MFA device?
A virtual MFA device is an entry created in a TOTP-compatible software app that can generate six-digit authentication codes. The software app can run on any compatible computing device, such as a smartphone.

Q. How do I provision a new virtual MFA device?
You can configure a new virtual MFA device in the IAM console for your IAM users. You will find the MFA configuration workflow on the Security Credentials page in the IAM console. For more information about how to provision a virtual MFA device, see Enabling a Virtual Multi-factor Authentication (MFA) Device.

Q. What is a QR code?
A QR code is a two-dimensional barcode that is readable by dedicated QR barcode readers and most smartphones. The code consists of black squares arranged in larger square patterns on a white background. The QR code contains the required security configuration information to provision a virtual MFA device in your virtual MFA app.

Q. How should I handle and distribute the seed material for virtual MFA devices?

You should treat seed material like any other secret (for example, AWS secret keys and passwords).

Q. How can I enable an IAM user to manage virtual MFA devices under my account?
Grant the IAM user the permission to call the CreateVirtualMFADevice API. You can use this API to provision new virtual MFA devices.

Your use of this service is subject to the AWS Customer Agreement.