"Secure Cloud Computing" by FutUndBeidl is licensed under CC BY 2.0.
In 2025, stolen credentials and phishing attacks were some of the top causes of cloud security breaches; clear evidence that passwords alone are no longer enough to protect AWS environments. Cybercriminals are actively purchasing leaked credentials and exploiting phishing campaigns to gain unauthorized access to cloud environments, taking advantage of weak authentication practices to reach sensitive data. Turning on Multi-Factor Authentication (MFA) in AWS Identity and Access Management (IAM) adds a critical layer of defense, ensuring that even if a password is compromised, your accounts and cloud resources remain protected.
In our first installment of AWS Top 10 Security Risks, we’ll talk about the #1 priority for securing your AWS Accounts: enabling Multi-Factor Authentication for all user accounts. Through this series, we’ll talk about the most common security issues we, at Cloud Security Partners, have seen in our customers’ AWS accounts and how to best address them.
User Accounts in AWS IAM
AWS IAM offers two types of user accounts: root users and IAM users. Root users are created when provisioning a new cloud environment, and are used to administrate all AWS account settings. IAM users are created manually and typically have fewer privileges than the root account, though they may still be granted broad permissions.
Both root accounts and IAM users authenticate using long-lived credentials (passwords), which make them prime targets for attackers. Enabling MFA is of utmost importance to help prevent account compromise.
Why MFA matters for AWS Accounts
Passwords alone are not enough to protect your AWS accounts. Attackers routinely exploit phishing campaigns, credential reuse, and credential stuffing attacks to gain access to valid credentials. When your password is your only authentication factor, a single compromised credential can lead to complete account takeover.
MFA changes this threat model by requiring something you know (your password) with something you have (an MFA device like your phone). MFA creates a barrier that significantly reduces the risk of unauthorized access. Even if attackers gain access to a valid password, they still need the second factor to log in, a significant obstacle to most attack campaigns.
Industry data shows that properly implemented MFA can block over 99% of account compromise attempts. For AWS users, enabling MFA is one of the simplest and most effective steps you can take to prevent account takeovers and safeguard your environment.
Types of MFA in AWS IAM
AWS IAM offers a few different types of Multi-Factor Authentication credentials:
- Passkeys, which are cryptographic keys typically stored in your browser or password manager. These keys do not leave a user’s device and are used to sign a cryptographic signature that the platform can validate.
- Hardware Security Keys, which are similar to passkeys, but are bound to a particular hardware chip. A common example of these is YubiKeys.
- Time-based One-Time Password (TOTP) applications, like Google Authenticator or Authy, are based on a hash function and change over time. These are very easy to set up and are quite commonly used.
Other platforms offer different types of MFA, such as SMS MFA. However, these are not recommended by AWS or Cloud Security Partners, as SMS can be vulnerable to security issues like phishing, spoofing, and SIM swapping. We recommend sticking with one of the built-in AWS MFA mechanisms.
For more information on how to enable MFA for your AWS account, check out the AWS documentation.
Best Practices for Enabling MFA in AWS
When enabling MFA on your user accounts, focus on the following:
- Choose an appropriate MFA method.
Not all MFA methods are created equal; there are cost and security considerations to make for each. For most enterprises, Cloud Security Partners would recommend hardware security keys; these are extremely hard to phish or steal, and cannot be trivially deleted.
- Use an IAM Policy to require MFA for all user accounts.
MFA is only effective when it is enabled; ensure that all user accounts have MFA properly enabled through centralized enforcement. You can do this using an IAM policy to ensure that all IAM users have MFA enabled during creation; this is much easier than applying MFA to all of your accounts after they are created.
- Require MFA for all sensitive actions.
Sensitive actions, such as resource provisioning or deletions, should also use MFA confirmations. This prevents accidental typos and helps protect against a vulnerability called session fixation, in which an attacker steals access to a valid session.
- Register backup MFA methods to prevent lockouts.
It’s important to ensure that MFA does not restrict legitimate users. Ensure that multiple backup MFA devices are registered per account to prevent users from getting locked out of their account if they lose their single MFA device.
- Consider using IAM roles instead of IAM users.
AWS advises against using IAM users, as they use long-lived credentials and are not easily governed. They should only be used for legacy purposes and emergencies. Instead, consider replacing IAM users with an IAM role instead. These can be managed centrally and use short-lived tokens, which are much safer credentials.
Conclusion
Multi-Factor Authentication is one of the most critical security controls for protecting access to your AWS environment. It provides a powerful first line of defense against unauthorized access, keeping your accounts secure even if passwords are compromised. By enforcing MFA for every user, integrating it into sensitive workflows, and choosing strong methods like hardware keys or passkeys, you can dramatically reduce your organization’s attack surface and strengthen its overall security posture.
This post is the first in our series on the AWS Top 10 Security Risks: each installment will dive deeper into the most common risks we see across customer environments and how to fix them. Stay tuned for the next blog, and if you’d like expert help evaluating your cloud security, reach out to Cloud Security Partners for a comprehensive assessment of your AWS environment.
Stay in the loop.
Subscribe for the latest in AI, Security, Cloud, and more—straight to your inbox.
