Enabling MFA on the root account

In order to avoid any kind of issues, the first thing we need to do once we sign up is enable MFA. In case you haven't seen or heard of this before, MFA is a security system that requires more than one method of authentication from independent categories of credentials. These are used to verify the user's identity in order to log in. In practice, once enabled, you will need the password previously set when you signed up in order to login. However, you will also need another code provided from a different source. That second source can be provided through a physical device such as the SafeNet IDProve, which is available at http://amzn.to/2u4K1rR, through an SMS on your phone, or through an application installed on your smartphone. We will use the third option—an application installed on your smartphone, which is completely free:

1. Go to your App Store, Google Play Store, or App Marketplace and install an application called Google Authenticator (or any other equivalent, such as Authy).
2. In the AWS Management Console, open the My Security Credentials page in the top-right corner:

3. If prompted to create and use AWS Identity and Access Management (IAM), users with limited permissions, click on the Continue to Security Credentials button. We will explore the IAM system in Chapter 3, Treating Your Infrastructure as Code. Expand the Multi-factor authentication (MFA) section on the page.
4. Pick virtual MFA and follow the instructions to sync Google authentication with your root account (note that the scan QR code option is the easiest one to pair the device).

From this point on, you will need your password and the token displayed on the MFA application in order to log in as root in the AWS console.

As we have seen earlier, the root account usage should be limited to a bare minimum. So, in order to create virtual servers, configure services, and so on, we will rely on the IAM service which will let us have granular control over permissions for each user.