U2F Security Key
Content
If you do not have a hardware device, you can skip the steps below.
Enable U2F security key via Console
U2F Security Key is an open authentication protocol that allows users to access online services with a unique security key without using any software.
-
Sign in to the AWS Console.
-
In the upper right corner, you will see your account name, select and select My Security Credentials then expand Multi-factor authentication (MFA).
-
To manage U2F security keys, you must have permissions from the following set of permissions. in the left sidebar, select Policies then select Create policy, select JSON tab and paste the below:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowManageOwnUserMFA",
"Effect": "Allow",
"Action": [
"iam:DeactivateMFADevice",
"iam:EnableMFADevice",
"iam:GetUser",
"iam:ListMFADevices",
"iam:ResyncMFADevice"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "DenyAllExceptListedIfNoMFA",
"Effect": "Deny",
"NotAction": [
"iam:EnableMFADevice",
"iam:GetUser",
"iam:ListMFADevices",
"iam:ResyncMFADevice"
],
"Resource": "arn:aws:iam::*:user/${aws:username}",
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "false"
}
}
}
]
}
- Select Next: Tags. This is a screen of Tags, a tool used to differentiate AWS resources.
- Select Next: Review. This is the screen that allows you to review the permission set you are creating.
- Enter the permission set name (eg MFAHardDevice) and select Create policy.
- In the left sidebar, select Dashboard and then select Enable MFA.
-
Expand Multi-factor authentication (MFA) then select Active MFA.
-
In Manage MFA Device, select U2F security key then press Continue.
-
Plug the U2F security key into the computer’s USB port.
- Click the U2F security key, and then select Close when U2F is successfully set up.