Multi-Factor Authentication (MFA) Enforcement

Overview

Multi-Factor Authentication (MFA) is mandatory for all MenoTime staff with AWS IAM access. MFA requires users to provide two forms of identification before accessing AWS resources, dramatically reducing the risk of account compromise due to password theft or phishing attacks.

Requirement: All IAM users must enable MFA before accessing any AWS resources.

Why MFA is Mandatory

Security Benefits

Protects against password compromise — Even if an attacker has your password, they cannot access your account without the second factor
Reduces phishing risk — Phishing attacks that steal credentials are ineffective without MFA
Prevents unauthorized API access — Stolen API keys cannot be used without MFA
Compliance requirement — HIPAA Security Rule requires multi-factor authentication for remote access to ePHI
Industry standard — AWS, healthcare, and financial industry best practices mandate MFA

Real-World Scenarios

Without MFA: - Attacker phishes password → Accesses AWS console → Deletes databases → Steals PHI data → HIPAA breach

With MFA: - Attacker phishes password → Attempts console login → MFA prompt appears → Attacker cannot proceed → Account remains secure

ForceMFA IAM Policy

All MenoTime IAM users are subject to the ForceMFA policy, which restricts access unless MFA is enabled. This policy is applied to all users and prevents non-MFA-enabled access to AWS resources.

How ForceMFA Works

Allows access to MFA setup — Users can access IAM console to configure MFA
Denies access to everything else — Until MFA is enabled, all other AWS actions are blocked
Requires MFA for daily operations — Once MFA is enabled, MFA is required for all actions

ForceMFA Policy JSON

This policy is applied as an IAM permissions boundary or inline policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowViewAccountInfo",
      "Effect": "Allow",
      "Action": [
        "iam:GetAccountSummary",
        "iam:ListVirtualMFADevices"
      ],
      "Resource": "*"
    },
    {
      "Sid": "AllowManageOwnVirtualMFADevice",
      "Effect": "Allow",
      "Action": [
        "iam:CreateVirtualMFADevice",
        "iam:DeleteVirtualMFADevice"
      ],
      "Resource": "arn:aws:iam::ACCOUNT_ID:mfa/${aws:username}"
    },
    {
      "Sid": "AllowManageOwnUserMFA",
      "Effect": "Allow",
      "Action": [
        "iam:DeactivateMFADevice",
        "iam:GetUser",
        "iam:ListMFADevices",
        "iam:ResyncMFADevice",
        "iam:ChangePassword"
      ],
      "Resource": "arn:aws:iam::ACCOUNT_ID:user/${aws:username}"
    },
    {
      "Sid": "AllowListUsersAndPolicies",
      "Effect": "Allow",
      "Action": [
        "iam:GetLoginProfile",
        "iam:ListAttachedUserPolicies",
        "iam:ListGroups",
        "iam:ListGroupsForUser",
        "iam:ListPolicies",
        "iam:GetPolicy"
      ],
      "Resource": "*"
    },
    {
      "Sid": "DenyAllExceptListedIfNoMFA",
      "Effect": "Deny",
      "NotAction": [
        "iam:CreateVirtualMFADevice",
        "iam:EnableMFADevice",
        "iam:GetUser",
        "iam:ListMFADevices",
        "iam:ListUsers",
        "iam:ListVirtualMFADevices",
        "iam:ResyncMFADevice",
        "sts:GetSessionToken"
      ],
      "Resource": "*",
      "Condition": {
        "BoolIfExists": {
          "aws:MultiFactorAuthPresent": "false"
        }
      }
    }
  ]
}

Policy Behavior Explained

Action	Without MFA	With MFA	Purpose
View account info	✓ Allowed	✓ Allowed	Setup MFA before locking out
Create/delete MFA device	✓ Allowed	✓ Allowed	Enable initial setup or replacement
Manage own MFA	✓ Allowed	✓ Allowed	Users can change MFA settings
All other AWS actions	✗ Denied	✓ Allowed	Force MFA before doing anything

MFA Setup Instructions

Step 1: Choose Your MFA Device Type

MenoTime supports two types of MFA devices:

Virtual MFA Device (recommended for staff)
Uses smartphone app (Google Authenticator, Microsoft Authenticator, Authy)
No additional hardware required
Works offline
Backup codes provided
Hardware MFA Key (required for root account)
USB or Bluetooth key (e.g., YubiKey, Titan Security Key)
Most secure option
Cannot be phished
Not subject to mobile device loss
Recommended: AWS recommends for all accounts

Step 2: Set Up Virtual MFA Device

Prerequisites: AWS Management Console access, smartphone with authenticator app

2a. Install Authenticator App on Phone

Choose one of these apps:

Google Authenticator (iOS/Android) — Free, reliable, no cloud backup
Microsoft Authenticator (iOS/Android) — Free, supports cloud backup
Authy (iOS/Android) — Free, supports multiple devices and cloud backup
1Password (iOS/Android) — Paid, integrates with password manager
LastPass Authenticator (iOS/Android) — Paired with LastPass

Recommendation: Use Authy or Microsoft Authenticator for backup code support (important for account recovery).

2b. Log into AWS Management Console

https://console.aws.amazon.com

2c. Navigate to MFA Configuration

Click your username in top-right corner → Security Credentials
Expand Multi-Factor Authentication (MFA) section
Click Assign MFA Device

2d. Configure Virtual MFA Device

Select Virtual MFA Device
Click Continue
Click Show QR Code
On your phone: Open authenticator app and scan the QR code
If you cannot scan, manually enter the setup key (alternative option)
Authenticator app generates 6-digit codes that refresh every 30 seconds

2e. Verify MFA Setup

In AWS console, enter two consecutive 6-digit codes from your authenticator app:
First code (current)
Wait ~30 seconds
Second code (next)
Click Assign Virtual MFA Device
AWS displays backup codes — save these in a secure location (see "Backup Codes" below)

2f. Success!

MFA is now enabled. You will be logged out automatically.

Step 3: Test MFA

Log into AWS console with your username and password
When prompted, enter the 6-digit code from your authenticator app
You are now logged in with MFA protection

Backup Codes

When you enable MFA, AWS provides 10 backup codes. These codes allow you to log in if you lose access to your MFA device.

Backup Code Format:

12AB-3CD4
5EF6-7GH8
... (8 more codes)

Important: Each code can only be used once.

Storing Backup Codes Securely

Save in password manager (1Password, LastPass, Bitwarden)
Never store in email or cloud services (accessible if email is compromised)
Never screenshot (screenshots can be synchronized to cloud storage)
Print and store securely (locked drawer, safe)
Tell a trusted colleague where backup codes are stored (for account recovery if unavailable)

DO NOT: - Lose the codes - Share codes with anyone - Store in version control - Store in plaintext files on desktop

Step 4: Hardware MFA Key (Optional but Recommended)

For additional security, hardware MFA keys provide strongest protection.

Recommended Hardware Keys: - AWS Titan Security Key (AWS-made, $30-40) - YubiKey 5 Series (widely compatible, $40-80) - Titan M2 (portable, $50)

Hardware Key Setup (High-Level)

Purchase hardware key from AWS or approved vendor
AWS console → Security Credentials → Assign MFA Device → Hardware Token
Enter device serial number from the key
Follow on-screen prompts to complete registration
Press the button on hardware key when logging in (no codes to enter)

Root Account MFA (Critical)

The root account is the most powerful AWS account and must have hardware MFA protection.

Why Root Account Needs Hardware MFA

Root has unrestricted access to all AWS resources
Root credentials compromise means complete account compromise
Root cannot be restricted by IAM policies
Root can perform operations like account closure

Root Account Setup

Log in as root (using email and password)
AWS console → Security Credentials → Multi-Factor Authentication
Select U2F Security Key or Hardware Token
Register hardware key (YubiKey, Titan, etc.)
Do not use virtual MFA for root — too risky if phone is compromised

Root Account Access

Root account should be used only in emergencies: - Creating new AWS accounts - Closing AWS accounts - Restoring deleted data - Addressing payment issues

Recommendation: Use sts:AssumeRole with MFA to access root-equivalent IAM role for normal operations.

Using MFA in Daily Operations

Logging In with MFA

Navigate to AWS console: https://console.aws.amazon.com
Enter username and password
When prompted: MFA Code — Open authenticator app, enter 6-digit code
Click Verify
You are now logged in (session valid for 12 hours)

Using MFA with AWS CLI

MFA is required for CLI operations. Use sts:GetSessionToken to obtain temporary credentials.

Step 1: Get Session Token with MFA

aws sts get-session-token \
  --serial-number arn:aws:iam::ACCOUNT_ID:mfa/username \
  --token-code 123456 \
  --duration-seconds 3600

Step 2: Response Contains Temporary Credentials

{
  "Credentials": {
    "AccessKeyId": "ASIAX...",
    "SecretAccessKey": "...",
    "SessionToken": "...",
    "Expiration": "2024-01-15T15:30:00Z"
  }
}

Step 3: Export Temporary Credentials

export AWS_ACCESS_KEY_ID=ASIAX...
export AWS_SECRET_ACCESS_KEY=...
export AWS_SESSION_TOKEN=...

Step 4: Use AWS CLI

All CLI commands now require valid MFA:

aws s3 ls
aws ec2 describe-instances
aws rds describe-db-instances

Simplified MFA CLI Setup (Bash Script)

Create a helper script to automate MFA token retrieval:

#!/bin/bash
# ~/.aws/mfa-token.sh

if [ -z "$1" ]; then
    echo "Usage: source mfa-token.sh <mfa-code>"
    exit 1
fi

MFA_SERIAL="arn:aws:iam::123456789012:mfa/$(whoami)"
MFA_CODE=$1

CREDENTIALS=$(aws sts get-session-token \
  --serial-number $MFA_SERIAL \
  --token-code $MFA_CODE \
  --duration-seconds 3600)

export AWS_ACCESS_KEY_ID=$(echo $CREDENTIALS | jq -r '.Credentials.AccessKeyId')
export AWS_SECRET_ACCESS_KEY=$(echo $CREDENTIALS | jq -r '.Credentials.SecretAccessKey')
export AWS_SESSION_TOKEN=$(echo $CREDENTIALS | jq -r '.Credentials.SessionToken')

echo "MFA session active for 1 hour"

Usage:

source ~/.aws/mfa-token.sh 123456
# Enter your MFA code (123456 in this example)

Using MFA with Terraform/Infrastructure as Code

Terraform and other IaC tools require valid AWS credentials. Configure MFA:

terraform/backend.tf:

terraform {
  backend "s3" {
    bucket         = "menotime-terraform-state"
    key            = "prod/terraform.tfstate"
    region         = "us-east-1"
    encrypt        = true
    dynamodb_table = "terraform-lock"
  }
}

Before running Terraform:

source ~/.aws/mfa-token.sh 123456
terraform plan
terraform apply

MFA Device Loss or Replacement

If You Lose Your Phone (MFA Device)

Immediately contact AWS Account Administrator
Provide one of your backup codes as proof of identity
AWS Administrator logs into console and:
Navigates to your IAM user
Removes existing MFA device
You can now log in with password only (MFA temporary disabled)
Reconfigure MFA with new device

If All Backup Codes Are Used

Contact AWS Account Administrator
Provide secondary proof of identity (corporate email, security questions)
Administrator disables MFA
You reconfigure MFA with backup codes

What Happens If MFA is Not Set Up

If you do not enable MFA, the ForceMFA policy will block your access:

Blocked Actions

✗ Cannot access EC2 console
✗ Cannot access RDS console
✗ Cannot access S3 console
✗ Cannot use AWS CLI for any operations
✗ Cannot assume IAM roles
✗ Cannot access production data

Allowed Actions (Until MFA Setup)

✓ View account information
✓ Access IAM console
✓ Create/configure MFA device
✓ Change password

Error Message

When attempting to access blocked resources without MFA:

AccessDenied
User: arn:aws:iam::123456789012:user/john.doe is not authorized to perform: ec2:DescribeInstances on resource: * with an explicit deny in a permissions boundary

Resolution: Enable MFA following "MFA Setup Instructions" above.

Troubleshooting

"Invalid MFA Code"

Problem: AWS rejects your MFA code Causes: - Clock skew on your phone - Wrong 6-digit code (expired or incorrect) - Authenticator app not synchronized

Solutions: 1. Check system time on your phone — Should match AWS time 2. Wait for code to refresh (~30 seconds) and try again 3. Reinstall authenticator app if codes consistently fail 4. Use backup code if you have one

"Lost Backup Codes"

Problem: You lost the backup codes and cannot access MFA device Solution: 1. Contact AWS Account Administrator 2. Prove identity with corporate email or security questions 3. Administrator temporarily disables MFA 4. Reconfigure MFA and generate new backup codes 5. Save backup codes securely

"Authenticator App Not Synced"

Problem: Authenticator app codes not working Causes: - Phone system time incorrect (check: Settings > Date & Time > Auto) - App not properly synchronized with AWS - Phone clock drifted

Solutions: 1. Ensure phone has automatic time/date enabled 2. Close and reopen authenticator app 3. Resync MFA device: AWS console → Security Credentials → Resync MFA Device → Enter two consecutive codes 4. Use backup codes as temporary access while resolving sync issue

"MFA Device Not Showing in Authenticator App"

Problem: Created MFA in AWS but codes not appearing in authenticator Solution: 1. Return to AWS console 2. Delete the MFA device you just created 3. Start over with "MFA Setup Instructions" 4. Ensure authenticator app is open when scanning QR code

Compliance and Auditing

MFA Compliance Checks

Weekly: Automated check that all IAM users have MFA enabled
Monthly: Security review of MFA device types (ensure hardware MFA for root)
Quarterly: User MFA audit and compliance report

Non-Compliance Actions

First occurrence: Email reminder to enable MFA
After 7 days: Account flagged for violation
After 14 days: Account access suspended until MFA is enabled

Questions? Contact the Security Officer at security@timelessbiotech.com.

Lost Access? Contact AWS Account Administrator for account recovery assistance.