Cloud infrastructure accounts are among the most valuable targets for attackers. A compromised AWS root account can drain your budget, exfiltrate your data, and disrupt your services within minutes. A compromised Cloudflare account can redirect your DNS traffic to attacker-controlled servers. A compromised GitHub organization can inject malicious code into your deployments.
Multi-factor authentication is the most effective single control for protecting these accounts. But enabling MFA is only the beginning — for teams managing shared cloud access, how you manage MFA codes matters as much as having them enabled.
Why Cloud Accounts Are High-Value Targets
Cloud providers are targeted heavily because:
- The impact is immediate and severe: infrastructure can be destroyed, data exfiltrated, and costs run up — all in hours.
- Cloud accounts often have broad permissions: a single compromised admin account can affect everything.
- Credentials are often reused: credentials from other breaches work here because people reuse passwords.
- Recovery is complex: rebuilding compromised infrastructure takes time and forensic effort.
This is why cloud platform MFA isn't optional — it's the minimum viable security control for any organization running infrastructure in the cloud.
AWS MFA Best Practices
Enable MFA on the root account — immediately
The AWS root account has unrestricted access to everything. If it's compromised, there is no recovery path that doesn't involve contacting AWS support. This account should have a hardware MFA key (YubiKey is recommended) and the credentials should be stored in a secure physical location, used only for root-only tasks.
Do not store AWS root MFA on a personal phone.
Enforce MFA for IAM users
Use an IAM policy to require MFA for all API and console access. AWS provides a policy template that denies all actions except iam:CreateVirtualMFADevice and iam:EnableMFADevice until MFA is enrolled.
{
"Effect": "Deny",
"NotAction": ["iam:CreateVirtualMFADevice", "iam:EnableMFADevice", "iam:GetUser", "iam:ListMFADevices"],
"Resource": "*",
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "false"
}
}
}
Use AWS IAM Identity Center for team access
For teams, AWS IAM Identity Center (formerly SSO) allows centralized management of user access across multiple AWS accounts. MFA is enforced at the Identity Center level. Individual IAM users in each account are not needed — access is federated.
This is the correct architecture for teams: centralized identity, centralized MFA enforcement, and no per-account user management.
Shared account MFA codes go in a team vault
For accounts that can't use IAM Identity Center — legacy services, accounts with TOTP-based MFA — the OTP code should live in a team vault like Gatera, not on a personal phone. This ensures access is available to authorized team members and revocable when people leave.
Cloudflare MFA Best Practices
Cloudflare controls DNS for your domains — a compromised Cloudflare account can redirect all your web traffic, invalidate your SSL certificates, and intercept your email. Treat it accordingly.
Enable 2FA for all Cloudflare accounts
Cloudflare supports TOTP-based MFA. All accounts with zone or account admin permissions should have MFA enabled. Go to My Profile → Authentication → Two-Factor Authentication.
Use Cloudflare Access for infrastructure access
Cloudflare Access (part of Cloudflare One / Zero Trust) allows you to put any internal service behind identity verification — including MFA — without a VPN. This is the right architecture for SSH access, internal dashboards, and staging environments.
Don't store Cloudflare admin MFA on a personal phone
If multiple team members need to manage Cloudflare configurations, the TOTP code for the shared admin account should be in a team vault. Use Gatera to store Cloudflare OTP codes with per-user access control and audit logging.
GitHub MFA Best Practices
GitHub organizations can now enforce MFA for all members. This should be enabled for any organization with access to production code.
Enforce organization-wide MFA
In GitHub Organization Settings → Authentication Security, enable "Require two-factor authentication for everyone in your organization." Members who don't have MFA enabled are automatically removed from the organization.
Use FIDO2 keys for privileged access
GitHub supports FIDO2/WebAuthn keys. For organization owners and repository admins, hardware keys (YubiKey) provide phishing-resistant authentication that TOTP can't match.
Manage deploy keys and tokens carefully
GitHub Personal Access Tokens (PATs) and deploy keys bypass MFA — they're API credentials. Ensure:
- PATs are scoped to minimum required permissions
- PATs have expiration dates
- PATs are stored in a secrets manager, not in
.envfiles - CI/CD pipelines use GitHub Actions OIDC tokens instead of long-lived PATs where possible
Google Cloud Platform MFA Best Practices
GCP uses Google Workspace / Google accounts for identity. MFA is enforced at the Google account level.
Enforce 2-step verification in Admin Console
In Google Admin Console → Security → Authentication → 2-step verification, configure enrollment as required for all users with GCP access. Set the grace period to 1 day maximum.
Use Google Titan Keys for admin accounts
Google Titan Security Keys are FIDO2-compliant and available for purchase directly from Google. For GCP organization administrators, hardware keys are the appropriate second factor.
Advanced Protection Program for highest-risk accounts
GCP organization admins and billing account admins are candidates for Google's Advanced Protection Program — which enforces hardware key use, blocks most OAuth access, and significantly limits account recovery options.
Azure / Microsoft 365 MFA Best Practices
Microsoft's MFA is primarily managed through Azure Active Directory (now called Entra ID).
Enable Security Defaults or Conditional Access
Security Defaults (free) requires MFA for all users and blocks legacy authentication protocols. Conditional Access (requires Azure AD P1/P2) allows policy-based MFA — requiring MFA only in certain conditions, or requiring step-up authentication for high-risk actions.
For most organizations, Conditional Access is the right choice: it's flexible and provides much better control than Security Defaults.
Require phishing-resistant MFA for privileged roles
Microsoft recommends requiring phishing-resistant MFA (FIDO2 or Windows Hello) for Global Administrator, Privileged Role Administrator, and other high-privilege roles. TOTP is acceptable for regular users but not for admin roles in a mature security posture.
Block legacy authentication
Legacy authentication protocols (SMTP AUTH, IMAP, POP) don't support MFA. Block them in Conditional Access. They're a common bypass path for attackers who have obtained password credentials.
Centralizing Cloud MFA Code Management
Across all these platforms, there's a common pattern: shared accounts and service accounts have TOTP-based MFA that needs to be accessible to multiple team members.
The right architecture:
- Federated identity where possible: use your IdP (Azure AD, Google Workspace, Okta) to manage access to cloud platforms via SSO. MFA is enforced at the IdP level.
- Team vault for remaining TOTP codes: for accounts that still use direct TOTP — legacy accounts, service accounts, accounts at platforms without SSO support — store the codes in a team MFA vault.
Gatera is designed specifically for the second case: a team vault for shared TOTP codes, with per-user access control, audit logging, and instant revocation.
Conclusion
Cloud infrastructure MFA is not optional — and for teams, managing it properly means more than just enabling it. It means centralized code storage, access control, audit logging, and instant revocation capability.
The combination of federated identity (SSO) for platforms that support it, and a team MFA vault for those that don't, covers the full spectrum of cloud authentication management.
Start your Gatera free trial → and bring your cloud MFA code management under organizational control.