One of the problems with good security is that it is easy to actually lock yourself out. We have had a number of students ask about what happens if you lose your phone, or forget a password.
It is very easy to think that this is just a lab environment and I can be a bit sloppy. However this is the time to practice being the professional that you want be, and want to be able to show off at an interview. As a professional you need to think ahead about what could go wrong and have a plan to address it.
- Always have a 2nd Admin account.
- This account should be on a different MFA device, —or—
- You might only assign it an API key set which you test once, keep in a safe and never use.
- Practice using the CLI to create accounts and reset the MFA (external site, opens in new tab) so that you can easily move to a new device if needed. Even without a separate Admin account you can use your key set to reset your MFA.
- Keep a copy of the setup QR code somewhere secure. With this you can set up a new device.
- Ensure that you keep records of your sign-up and payments so that if you need to ask AWS for assistance that you have the necessary supporting documentation to prove that you are the bonafide account owner.
Since this article was first written AWS have come up with new methods and advice. This will still work, but please also read the following:
- Enabling a virtual multi-factor authentication (MFA) device (console) (external site, opens in new tab)
- Lost or unusable Multi-Factor Authentication (MFA) device (external site, opens in new tab)
- What if an MFA device is lost or stops working? (external site, opens in new tab)
- Deactivating MFA devices (external site, opens in new tab)
- Enabling and managing virtual MFA devices (AWS CLI or AWS API) (external site, opens in new tab)
If you need help, please contact Pluralsight Support.