IAM users should have MFA (virtual or hardware) enabled¶
Description¶
Enabling MFA provides increased security as it requires the authenticating principal to possess a device that emits a time-sensitive key (for hardware MFA) and have knowledge of a credential (virtual MFA).
Console Remediation Steps¶
To enable a virtual MFA device:
Navigate to IAM.
In the navigation pane, choose Users.
In the User Name list, choose the name of the intended MFA user.
Choose the Security credentials tab. Next to Assigned MFA device, choose Manage.
In the Manage MFA Device wizard, choose Virtual MFA device, and then choose Continue. IAM generates and displays configuration information for the virtual MFA device, including a QR code graphic.
Open your virtual MFA app. See AWS’s list of supported MFA apps.
Determine whether the MFA app supports QR codes, and then do one of the following:
From the wizard, choose Show QR code, and then use the app to scan the QR code.
In the Manage MFA Device wizard, choose Show secret key, and then type the secret key into your MFA app.
In the Manage MFA Device wizard, in the MFA code 1 box, type the one-time password that currently appears in the virtual MFA device. Wait up to 30 seconds for the device to generate a new one-time password. Then type the second one-time password into the MFA code 2 box. Choose Assign MFA.
To enable a hardware MFA device:
Navigate to IAM.
In the navigation bar in the upper right, choose your user name, then My Security Credentials.
On the AWS IAM credentials tab, in the Multi-factor authentication section, choose Manage MFA device.
In the Manage MFA device wizard, choose Hardware MFA device and then choose Continue.
Type the device serial number. The serial number is usually on the back of the device.
In the MFA code 1 box, type the six-digit number displayed by the MFA device. You might need to press the button on the front of the device to display the number.
Wait 30 seconds while the device refreshes the code, and then type the next six-digit number into the MFA code 2 box. You might need to press the button on the front of the device again to display the second number.
Choose Assign MFA.
CLI Remediation Steps¶
To enable a virtual MFA device, you must first create a virtual device entity in IAM to represent a virtual MFA device. Replace MY_MFA_DEVICE_NAME
with your desired device name and path/to/QRCode.png
with the path where you want the QR code to be saved:
aws iam create-virtual-mfa-device --virtual-mfa-device-name MY_MFA_DEVICE_NAME --outfile path/to/QRCode.png --bootstrap-method QRCodePNG
To enable a virtual MFA device after creating the entity in IAM, replace MY_USER_NAME
with your username, specify the ARN of the virtual MFA device you created, and specify two consecutive codes from the device:
aws iam enable-mfa-device \
--user-name MY_USER_NAME \
--serial-number arn:aws:iam::123456789012:mfa/MY_MFA_DEVICE_NAME \
--authentication-code1 123456 \
--authentication-code2 789012
To enable a hardware MFA device, replace MY_USER_NAME
with your username, specify the serial number of the hardware MFA device, and specify two consecutive codes from the device:
aws iam enable-mfa-device \
--user-name MY_USER_NAME \
--serial-number 12345678 \
--authentication-code1 123456 \
--authentication-code2 789012