1.2.2. Enable U2F Security Key

Enable a U2F Security Key using Console


U2F Security Key is an open authentication that allow user to securely access to online service with one single security key and with no software needed.

  1. Sign in to AWS Console
  2. In the top right of the navigation bar, you will see your account name, choose it and choose My Security Credentials then expand Multi-factor authentication (MFA)

Image

  1. To manage U2F security key, you must have permission from following policy. In the left bar, choose Policies then choose Create policy, choose the JSON tab and paste the following:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowManageOwnUserMFA",
            "Effect": "Allow",
            "Action": [
                "iam:DeactivateMFADevice",
                "iam:EnableMFADevice",
                "iam:GetUser",
                "iam:ListMFADevices",
                "iam:ResyncMFADevice"
            ],
            "Resource": "arn:aws:iam::*:user/${aws:username}"
        },
        {
            "Sid": "DenyAllExceptListedIfNoMFA",
            "Effect": "Deny",
            "NotAction": [
                "iam:EnableMFADevice",
                "iam:GetUser",
                "iam:ListMFADevices",
                "iam:ResyncMFADevice"
            ],
            "Resource": "arn:aws:iam::*:user/${aws:username}",
            "Condition": {
                "BoolIfExists": {
                    "aws:MultiFactorAuthPresent": "false"
                }
            }
        }
    ]
}
  1. Choose Review policy
  2. Enter the name of policy then choose Create policy
  3. In the left bar, choose Dashboard expand Active MFA on your root account then choose Manage MFA
  4. Expand Multi-factor authentication (MFA) then choose Active MFA
  5. In the Manage MFA Device, choose U2F security key then click Continue
  6. Insert the U2F security key into your computer’s USB port.

Image

  1. Tap the U2F security key, and then choose Close when U2F setup is complete.