The aim of this post is to configure policies in AWS to allow accounts that have been provisioned for users with specific permissions to register for MFA themselves. The authenticator we will be using is the Microsoft IOS app but it could also be Google or any other authenticator.
First, we need to create a policy that can be assigned to the user that will not only force them to login with MFA but also allow them the permissions they need in order to carry out the registration process.
Go to IAM and click Policies then click create policy. Click the JSON tab and copy the below JSON code into the policy.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowViewAccountInfo", "Effect": "Allow", "Action": [ "iam:GetAccountPasswordPolicy", "iam:GetAccountSummary", "iam:ListVirtualMFADevices" ], "Resource": "*" }, { "Sid": "AllowManageOwnPasswords", "Effect": "Allow", "Action": [ "iam:ChangePassword", "iam:GetUser" ], "Resource": "arn:aws:iam::*:user/${aws:username}" }, { "Sid": "AllowManageOwnAccessKeys", "Effect": "Allow", "Action": [ "iam:CreateAccessKey", "iam:DeleteAccessKey", "iam:ListAccessKeys", "iam:UpdateAccessKey" ], "Resource": "arn:aws:iam::*:user/${aws:username}" }, { "Sid": "AllowManageOwnSigningCertificates", "Effect": "Allow", "Action": [ "iam:DeleteSigningCertificate", "iam:ListSigningCertificates", "iam:UpdateSigningCertificate", "iam:UploadSigningCertificate" ], "Resource": "arn:aws:iam::*:user/${aws:username}" }, { "Sid": "AllowManageOwnSSHPublicKeys", "Effect": "Allow", "Action": [ "iam:DeleteSSHPublicKey", "iam:GetSSHPublicKey", "iam:ListSSHPublicKeys", "iam:UpdateSSHPublicKey", "iam:UploadSSHPublicKey" ], "Resource": "arn:aws:iam::*:user/${aws:username}" }, { "Sid": "AllowManageOwnGitCredentials", "Effect": "Allow", "Action": [ "iam:CreateServiceSpecificCredential", "iam:DeleteServiceSpecificCredential", "iam:ListServiceSpecificCredentials", "iam:ResetServiceSpecificCredential", "iam:UpdateServiceSpecificCredential" ], "Resource": "arn:aws:iam::*:user/${aws:username}" }, { "Sid": "AllowManageOwnVirtualMFADevice", "Effect": "Allow", "Action": [ "iam:CreateVirtualMFADevice", "iam:DeleteVirtualMFADevice" ], "Resource": "arn:aws:iam::*:mfa/${aws:username}" }, { "Sid": "AllowManageOwnUserMFA", "Effect": "Allow", "Action": [ "iam:DeactivateMFADevice", "iam:EnableMFADevice", "iam:ListMFADevices", "iam:ResyncMFADevice" ], "Resource": "arn:aws:iam::*:user/${aws:username}" }, { "Sid": "DenyAllExceptListedIfNoMFA", "Effect": "Deny", "NotAction": [ "iam:CreateVirtualMFADevice", "iam:EnableMFADevice", "iam:GetUser", "iam:ListMFADevices", "iam:ListVirtualMFADevices", "iam:ResyncMFADevice", "sts:GetSessionToken" ], "Resource": "*", "Condition": { "BoolIfExists": { "aws:MultiFactorAuthPresent": "false" } } } ] }
Click Review Policy
Name the policy Force_MFA
While still in IAM click groups and create a new group called EC2MFA.
Attach the Force_MFA policy we just created to the group
Next select the user that we want to force to register for MFA and add them to the group
Now using a different browser or a completely new session login as the user you just applied the MFA policy too. (This is just for demo purposes – the user will do this part themselves)
Check the user’s permissions and they should not be able to do anything at this point as MFA is required.
Click the username and select My Security Credentials
Click Assign MFA device
There seems to be a bug whereby sometimes it appears as though the user has already registered for MFA as the below error suggests:
To overcome this we can use the AWS PowerShell module. Login with an appropriate account and run the below command to see which accounts have an MFA device attached:
Get-IAMVirtualMFADevice
Copy the user’s details and put into a remove command as below:
Remove-IAMVirtualMFADevice -SerialNumber arn:aws:iam::194574524582:mfa/route53accessdev
Now the user can try again to register and MFA device as before:
You then need to ensure that the user has downloaded the Microsoft Authenticator app to their mobile device. Then click Show QR code.
On the mobile device tap the +
Select Work or school account
Hold your camera over the QR code on screen
AWS is automatically associated
We then just have to put in the next two codes that appear on the app and click Assign MFA
The Setup should be successful
The user can then login again as normal:
But will then be prompted for their MFA code from the authenticator app