Bootstrap FreeKB - Amazon Web Services (AWS) - Create IAM Multi Factor Authentication (MFA) Devices using the AWS CLI
Amazon Web Services (AWS) - Create IAM Multi Factor Authentication (MFA) Devices using the AWS CLI
Updated:   |  Amazon Web Services (AWS) articles

This assumes you have already configured the aws command line tool. If not, check out my article on Getting Started with the AWS CLI.

IAM (Identity and Access Management) contains non-root users that have been permitted to perform certain actions. IAM can be setup with Multi-Factor Authentication (MFA). For example, a users mobile phone can be added so that the user must first authenticate with their username and password (something they know) and must next authenticate with an authentication code from their MFA device (something they have). The Microsoft Authenticator app is one such app that could be used to authenticate.

 

The aws iam create-virtual-mfa-devices command can be used to create a QR Code PNG file that can be used to assign a Multi-Factor Authentication (MFA) device.

~]$ aws iam create-virtual-mfa-devices --virtual-mfa-device-name MyMFADevice --outfile /path/to/QRCode.png --bootstrap-method QRCodePNG
{
    "VirtualMFADevice": {
        "SerialNumber": "arn:aws:iam::123456789012:mfa/MyMFADevice"
    }
}

 

The aws iam list-virtual-mfa-devices command can then be used to list the IAM multi-factor authentication devices that have been added. Assuming the user has not yet scanned the QR Code to assign their device, all that should be returned is SerialNumber.

{
    "VirtualMFADevices": [
        {
            "SerialNumber": "arn:aws:iam::123456789012:mfa/MyMFADevice"
        }
    ]
}

 

The aws iam enable-mfa-device command can be used to assign an MFA device to a user. In this example, perhaps John Doe has the Microsoft Authenticator app on his cell phone, and he uses the Microsoft Authenticator app to get the authentication codes.

aws iam enable-mfa-device \
    --user-name johndoe \
    --serial-number arn:aws:iam::713123434212:mfa/JohnDoesCellPhone \
    --authentication-code1 123456 \
    --authentication-code2 789012

 

Once the device has been assigned/enabled, something like this should be returned.

{
    "VirtualMFADevices": [
        {
            "SerialNumber": "arn:aws:iam::713441234252:mfa/JohnDoesCellPhone",
            "User": {
                "Path": "/",
                "UserName": "johndoe",
                "UserId": "AIDA1234L76GABCDB2123",
                "Arn": "arn:aws:iam::713123434212:user/johndoe",
                "CreateDate": "2022-09-13T11:13:03+00:00"
            },
            "EnableDate": "2023-06-14T01:52:35+00:00"
        }
    ]
}

 

Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee


Comments


Add a Comment


Please enter 7de915 in the box below so that we can be sure you are a human.