Hard MFA Device
Content
Enable other hardware MFA device through the Console
- Sign in to the AWS Console.
- In the upper right corner, you will see your account name, select and select My Security Credentials then expand Multi-factor authentication (MFA).
- To manage U2F security keys, you must have permissions from the following set of permissions. in the left sidebar, select Policies then select Create policy, select JSON tab and paste the below:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowManageOwnUserMFA",
"Effect": "Allow",
"Action": [
"iam:DeactivateMFADevice",
"iam:EnableMFADevice",
"iam:GetUser",
"iam:ListMFADevices",
"iam:ResyncMFADevice"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "DenyAllExceptListedIfNoMFA",
"Effect": "Deny",
"NotAction": [
"iam:EnableMFADevice",
"iam:GetUser",
"iam:ListMFADevices",
"iam:ResyncMFADevice"
],
"Resource": "arn:aws:iam::*:user/${aws:username}",
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "false"
}
}
}
]
}
- Select Next: Tags. This is a screen of Tags, a tool used to differentiate AWS resources.
- Select Next: Review. This is the screen that allows you to review the permission set you are creating.
- Enter the permission set name (eg MFAHardDevice) and select Create policy.
- In the left sidebar, select Dashboard and then select Enable MFA.
-
Expand Multi-factor authentication (MFA) then select Active MFA.
-
In Manage MFA Device, select Other Hardware MFA Device then click Continue.
-
Enter Serial Number on the back of the device.
- Enter MFA code 1 then wait 30 seconds and enter MFA code 2.
- Select Assign MFA.