Enable MFA for a user

Last Update:2014-07-29 Source: Internet

Author: User

Tags aws management console

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

If you are root/admin account, in order to configure a virtual MFA device, you must have physical access to the device. for example, if you are using ing MFA for a user who will use a smartphone to generate an OTP, you must have the smartphone available in order to finish the wizard. because of this, you might want to let them configure the devices themselves. if the following policy is attached to a user or to a group that the user is in, the user can manage configure and manage his or her own virtual MFA device using the AWS Management Console.

{  "Version": "2012-10-17",  "Statement": [    {      "Sid": "AllowUsersToCreateDeleteTheirOwnVirtualMFADevices",      "Effect": "Allow",      "Action": ["iam:*VirtualMFADevice"],      "Resource": ["arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:mfa/${aws:username}"]    },    {      "Sid": "AllowUsersToEnableSyncDisableTheirOwnMFADevices",      "Effect": "Allow",      "Action": [        "iam:DeactivateMFADevice",        "iam:EnableMFADevice",        "iam:ListMFADevices",        "iam:ResyncMFADevice"      ],      "Resource": ["arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:user/${aws:username}"]    },    {      "Sid": "AllowUsersToListVirtualMFADevices",      "Effect": "Allow",      "Action": ["iam:ListVirtualMFADevices"],      "Resource": ["arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:mfa/*"]    },    {      "Sid": "AllowUsersToListUsersInConsole",      "Effect": "Allow",      "Action": ["iam:ListUsers"],      "Resource": ["arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:user/*"]    }  ]}

Note:

You can use a specific name such"David" to replace ${aws:username}, Then this policy is attached to userDavid. As with the policies for accessing user-specific Amazon object, you 'd have to create a separate policy for each user that includes des the user's name, and then attach each policy to the individual users.
When you use a policy variable ($ {AWS: username}) for the user name like this, you don't have to have a separate policy for each individual user. instead, you can attach this new policy to an Iam group that includes des everyone who shoshould be allowed to manage their own access keys. when a user makes a request to modify his or her access key, Iam substitutes the user name from the current request for${aws:username}Variable and evaluates the policy.

To configure and enable a virtual MFA device for a user
- Sign in to the AWS Management Console and open the iam console at https://console.aws.amazon.com/iam.
- In the Navigation Pane, click User and then select the user you want to enable the virtual MFA.
- In the user details pane, select security credentials, and then click manage MFA device.
- In the manage MFA device wizard, select a virtual MFA device and then click Continue.
- Confirm that a virtual MFA application is installed on the user's mobile device and then click Continue. (For a list of apps that you can use as virtual MFA devices, see multi-factor authentication .) iam generates and displays configuration information for the virtual MFA device, including a QR code similar to the following graphic.
- With the manage MFA device wizard still open, open the virtual MFA application on the device. if the device supports QR codes, the easiest way to configure the application is to use the application to scan the QR code. if you cannot scan the code, you can enter the secret configuration key manually.
  - To use the QR code to configure the virtual MFA device, follow the app instructions for scanning the code. for example, you might need to tap the camera icon or tap a command like scan account barcode, and then use the device's camera to scan the code.
  - If you cannot scan the code, enter the configuration information manually by typing the secret configuration key value into the application. for example, to do this in the AWS virtual MFA application, tapmanually add account, and then type the secret configuration key and click Create.
  - NoteThe QR code and secret configuration key are unique and cannot be reused.
- When you are finished processing ing the device, the device starts generating six-digit numbers.
- In the iam manage MFA device wizard, in the authentication code 1 box, type the six-digit number that's currently displayed by the MFA device. wait 30 seconds for the device to generate a new number, and then type the new six-digit number into the authentication code 2 box. click continue.

Note: If you are root/admin account, you can enable MFA for the users (need the users 'mfa device or smart phone which runs virtual MFA device app) or let them enable it themselves via granting them privileges to enable MFA.

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More