Posted on by Robin Clarke

Add Microsoft Authenticator MFA to AWS Accounts

The aim of this post is to configure policies in AWS to allow accounts that have been provisioned for users with specific permissions to register for MFA themselves.  The authenticator we will be using is the Microsoft IOS app but it could also be Google or any other authenticator.

First, we need to create a policy that can be assigned to the user that will not only force them to login with MFA but also allow them the permissions they need in order to carry out the registration process.

Go to IAM and click Policies then click create policy.  Click the JSON tab and copy the below JSON code into the policy.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowViewAccountInfo",
            "Effect": "Allow",
            "Action": [
                "iam:GetAccountPasswordPolicy",
                "iam:GetAccountSummary",       
                "iam:ListVirtualMFADevices"
            ],
            "Resource": "*"
        },       
        {
            "Sid": "AllowManageOwnPasswords",
            "Effect": "Allow",
            "Action": [
                "iam:ChangePassword",
                "iam:GetUser"
            ],
            "Resource": "arn:aws:iam::*:user/${aws:username}"
        },
        {
            "Sid": "AllowManageOwnAccessKeys",
            "Effect": "Allow",
            "Action": [
                "iam:CreateAccessKey",
                "iam:DeleteAccessKey",
                "iam:ListAccessKeys",
                "iam:UpdateAccessKey"
            ],
            "Resource": "arn:aws:iam::*:user/${aws:username}"
        },
        {
            "Sid": "AllowManageOwnSigningCertificates",
            "Effect": "Allow",
            "Action": [
                "iam:DeleteSigningCertificate",
                "iam:ListSigningCertificates",
                "iam:UpdateSigningCertificate",
                "iam:UploadSigningCertificate"
            ],
            "Resource": "arn:aws:iam::*:user/${aws:username}"
        },
        {
            "Sid": "AllowManageOwnSSHPublicKeys",
            "Effect": "Allow",
            "Action": [
                "iam:DeleteSSHPublicKey",
                "iam:GetSSHPublicKey",
                "iam:ListSSHPublicKeys",
                "iam:UpdateSSHPublicKey",
                "iam:UploadSSHPublicKey"
            ],
            "Resource": "arn:aws:iam::*:user/${aws:username}"
        },
        {
            "Sid": "AllowManageOwnGitCredentials",
            "Effect": "Allow",
            "Action": [
                "iam:CreateServiceSpecificCredential",
                "iam:DeleteServiceSpecificCredential",
                "iam:ListServiceSpecificCredentials",
                "iam:ResetServiceSpecificCredential",
                "iam:UpdateServiceSpecificCredential"
            ],
            "Resource": "arn:aws:iam::*:user/${aws:username}"
        },
        {
            "Sid": "AllowManageOwnVirtualMFADevice",
            "Effect": "Allow",
            "Action": [
                "iam:CreateVirtualMFADevice",
                "iam:DeleteVirtualMFADevice"
            ],
            "Resource": "arn:aws:iam::*:mfa/${aws:username}"
        },
        {
            "Sid": "AllowManageOwnUserMFA",
            "Effect": "Allow",
            "Action": [
                "iam:DeactivateMFADevice",
                "iam:EnableMFADevice",
                "iam:ListMFADevices",
                "iam:ResyncMFADevice"
            ],
            "Resource": "arn:aws:iam::*:user/${aws:username}"
        },
        {
            "Sid": "DenyAllExceptListedIfNoMFA",
            "Effect": "Deny",
            "NotAction": [
                "iam:CreateVirtualMFADevice",
                "iam:EnableMFADevice",
                "iam:GetUser",
                "iam:ListMFADevices",
                "iam:ListVirtualMFADevices",
                "iam:ResyncMFADevice",
                "sts:GetSessionToken"
            ],
            "Resource": "*",
            "Condition": {
                "BoolIfExists": {
                    "aws:MultiFactorAuthPresent": "false"
                }
            }
        }
    ]
}

 

Click Review Policy

Name the policy Force_MFA

While still in IAM click groups and create a new group called EC2MFA.

Attach the Force_MFA policy we just created to the group

Next select the user that we want to force to register for MFA and add them to the group

Now using a different browser or a completely new session login as the user you just applied the MFA policy too. (This is just for demo purposes – the user will do this part themselves)

Check the user’s permissions and they should not be able to do anything at this point as MFA is required.

Click the username and select My Security Credentials

Click Assign MFA device

There seems to be a bug whereby sometimes it appears as though the user has already registered for MFA as the below error suggests:

To overcome this we can use the AWS PowerShell module.  Login with an appropriate account and run the below command to see which accounts have an MFA device attached:

Get-IAMVirtualMFADevice

 

Copy the user’s details and put into a remove command as below:

Remove-IAMVirtualMFADevice -SerialNumber arn:aws:iam::194574524582:mfa/route53accessdev

 

Now the user can try again to register and MFA device as before:

You then need to ensure that the user has downloaded the Microsoft Authenticator app to their mobile device.  Then click Show QR code.

On the mobile device tap the +

Select Work or school account

Hold your camera over the QR code on screen

AWS is automatically associated

We then just have to put in the next two codes that appear on the app and click Assign MFA

The Setup should be successful

 

 

 

The user can then login again as normal:

But will then be prompted for their MFA code from the authenticator app

 

 

 

Related Posts:

Leave a Reply

Your email address will not be published. Required fields are marked *