Skip to content
Learn Netverks

Lesson

Step 10/36 28% through track

mfa-and-access-keys

MFA and access keys

Last reviewed May 28, 2026 Content v20260528
Track mode
none
Means
Read / quiz
Reading
~2 min
Level
beginner

This lesson

This lesson teaches MFA and access keys: AWS concepts, console/CLI practice patterns, and how the service fits in a typical cloud architecture.

Over-privileged IAM is the #1 cloud breach enabler—least privilege and MFA are non-negotiable baselines.

You will apply MFA and access keys in contexts like: Production hosting, data pipelines, and corporate cloud landing zones.

Read the lesson, reproduce steps in your AWS Free Tier or sandbox (console and optional AWS CLI), diagram the architecture in notes, and complete MCQs—no in-browser cloud lab.

When you can explain the previous lesson's ideas in your own words.

Multi-factor authentication (MFA) adds a second factor beyond passwords. Access keys (ID + secret) authenticate CLI/SDK calls—treat secrets like passwords.

MFA types

  • Virtual MFA app (Google Authenticator, Authy)
  • Hardware MFA keys (FIDO, U2F) for high-privilege users
  • Require MFA for sensitive operations via IAM condition keys

Access key hygiene

  1. Create keys only when CLI/SDK needs them
  2. Store in password manager or secrets manager—never in Git
  3. Rotate periodically; delete unused keys
  4. Prefer temporary credentials from aws sts assume-role

Example placeholders only: AKIAIOSFODNN7EXAMPLE / wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY appear in AWS docs—do not use these as real credentials.

Configure CLI safely

aws configure --profile sandbox
# Enter access key ID and secret when prompted
# Default region: us-east-1 (or your chosen sandbox region)
chmod 600 ~/.aws/credentials

Practice: Perform IAM steps in the IAM Console or with the AWS CLI in a sandbox account only.

Important interview questions and answers

  1. Q: Why MFA on root?
    A: Password leaks are common; MFA blocks most unauthorized Console logins.
  2. Q: Where not to store secrets?
    A: Source code, public repos, Slack messages, or lesson copy-paste into tickets.

Self-check

  1. Name two MFA options for IAM users.
  2. What should you do with unused access keys?

Tip: chmod 600 on ~/.aws/credentials; rotate keys you suspect leaked.

Interview prep

Why MFA?

Second factor blocks most password-only account takeovers.

Key storage?

Never in Git or chat—use secrets manager or role-based temporary credentials.

Interview tip Lesson completion confidence

Can you explain this lesson in 30 seconds without reading notes?

Not saved yet.

Check yourself

Multiple choice — immediate feedback.

Discussion

Past discussion is visible to everyone. Only logged-in users can post comments and replies.

Starter discussion topics

  • MFA on root?
  • Keys in Git risk?

Sign up or log in to post comments and sync lesson progress across devices.

No discussion yet. Be the first to ask a question.

Jump

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36