Enabling multi-factor authentication on the root account

In order to avoid any kind of issues, the first thing we need to do once we sign up is to enable MFA. In case you haven't seen or heard of this before, MFA is a security system that requires more than one method of authentication from independent categories of credentials to verify the user's identity to log in. In practice, once enabled, in order to log into your root account, you will need the password previously set when you signed up but also another code provided from a different source. That second source can be provided through a physical device such as the SafeNet IDProve available on Amazon.com (http://amzn.to/2u4K1rR), an SMS on your phone, or an application installed on your smartphone. We will use the third option, which is completely free:

1. Go to your App Store, Google Play Store or App Marketplace and install an application called Google Authenticator (or any other equivalent such as Authy).
2. In the AWS Management Console, in the top-right corner, open the My Security Credentials page:

1. If prompted for Creating and using AWS IAM users with limited permissions, click on Continue to Security Credentials. (We will explore the IAM system in Chapter 3, Treating Your Infrastructure As Code. Expand the Multi-factor authentication (MFA) section on the page.
2. Pick Virtual MFA and follow the instructions to sync Google Authenticator with your root account (note that the scan the QR code option is the easiest one to pair the device).

From this point on, you will need your password and the token displayed on the MFA application to log in as root in the AWS console.

As we have seen earlier, the root account usage should be limited to a bare minimum. So in order to create virtual servers, configure services, and so on, we will rely on the IAM service that will let us have granular control over permissions for each user.