Passwords
Passwords are used by IAM users to sign into the AWS Management Console, as well as other AWS web pages, such as the AWS Discussion Forums and the AWS Support Center. AWS allows you to enforce custom password policies that can specify password length, require specific character types, and mandate password rotation. It is crucial to enforce strong password policies to reduce the risk of unauthorized access.
However, it is important to note that passwords are based on a single factor of authentication, something the user knows, and are very commonly compromised. Therefore, they cannot be considered as a strong means of authentication on their own and are not enough to protect critical access to sensitive data and resources.
MFA
MFA adds an extra layer of protection by combining two different kinds of authentication factors: something the user knows (the password) and something he owns (an MFA device). With MFA, users have an MFA device that generates a one-time password (OTP) that they must provide when signing in. AWS supports both virtual MFA and physical MFA devices. A virtual MFA device runs in an application on a mobile device such as a smartphone, while a physical MFA device runs on dedicated hardware. Note that MFA can only be used for human users. This is because non-human users, such as applications and services, cannot own an MFA token.
MFA is a must for high-privilege human users, including those with broad permissions, access to sensitive data and resources, and of course the root user. It is also a good practice to enforce MFA for all human users, regardless of their privilege level. This is because any compromised account can potentially be escalated to higher privileges due to misconfigurations or other weaknesses.
Access keys
Access keys consist of an access key ID and a secret access key, which are used to sign programmatic requests made on AWS by IAM users. These programmatic requests include access to the AWS CLI, the AWS SDKs, and the AWS API.
Access keys should be handled carefully. They should not be stored in the clear in any configuration file, or environment variable, embedded in code, or shared publicly. There have been real-world incidents where access keys were accidentally committed to public code repositories, leading to significant data breaches. Therefore, it is crucial to ensure access keys are securely managed. It is also crucial to regularly rotate old access keys and revoke unused keys to ensure the security of your AWS account.
Also, note that access keys alone cannot be considered a strong means of authentication. It is also strongly recommended that you enforce MFA for AWS CLI access from human users, which needs a specific IAM policy to be explicitly required.