1.2.3. Enable Hardware MFA

Enable a Hardware MFA Device using Console


  1. Sign in to AWS Console.
  2. In the top right of the navigation bar, you will see your account name, choose it and choose My Security Credentials then expand Multi-factor authentication (MFA).

Image

  1. To manage Hardware MFA Device, you must have permission from following policy. In the left bar, choose Policies then choose Create policy, choose the JSON tab and paste the following:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowManageOwnUserMFA",
            "Effect": "Allow",
            "Action": [
                "iam:DeactivateMFADevice",
                "iam:EnableMFADevice",
                "iam:GetUser",
                "iam:ListMFADevices",
                "iam:ResyncMFADevice"
            ],
            "Resource": "arn:aws:iam::*:user/${aws:username}"
        },
        {
            "Sid": "DenyAllExceptListedIfNoMFA",
            "Effect": "Deny",
            "NotAction": [
                "iam:EnableMFADevice",
                "iam:GetUser",
                "iam:ListMFADevices",
                "iam:ResyncMFADevice"
            ],
            "Resource": "arn:aws:iam::*:user/${aws:username}",
            "Condition": {
                "BoolIfExists": {
                    "aws:MultiFactorAuthPresent": "false"
                }
            }
        }
    ]
}
  1. Choose Review policy.
  2. Enter the name of policy then choose Create policy.
  3. In the left bar, choose Dashboard expand Active MFA on your root account then choose Manage MFA.
  4. Expand Multi-factor authentication (MFA) then choose Active MFA.
  5. Choose Other Hardware MFA Device click Continue.
  6. Enter the Serial Number on the back of device.

Image

  1. Enter MFA code 1 then wait 30 seconds and enter the MFA code 2.
  2. Choose Assign MFA.