How to allow MFA self-management with custom MFA device names (multiple MFA)

2

Now that IAM users can add multiple MFA devices, they can also choose a name for their devices. This results in the MFA device getting an ARN where the last part is not the user name anymore, and a permissions error when using the suggested MFA self-management policy.

How does one allow the iam:CreateVirtualMFADevice and iam:DeleteVirtualMFADevice actions only for MFA devices assigned to a user, if the ARN of the MFA device does not reflect the user anymore?

Permissions error

asked 19 days ago227 views
7 Answers
2

With help from AWS support we changed our policy to allow people to self-manage (all) their MFA devices without any naming restrictions.

From:

        {
            "Action": [
                "iam:CreateVirtualMFADevice",
                "iam:DeleteVirtualMFADevice"
            ],
            "Resource": "arn:aws:iam::*:mfa/${aws:username}",
            "Effect": "Allow"
        },

To:

        {
            "Action": [
                "iam:CreateVirtualMFADevice",
                "iam:DeleteVirtualMFADevice"
            ],
            "Resource": "arn:aws:iam::*:mfa/*",
            "Effect": "Allow"
            "Condition": {
                "StringLike": {
                    "aws:PrincipalArn": [
                        "arn:aws:iam::*:user/${aws:username}"
                    ]
                }
            },
        },

The condition makes it so users can only change their own MFA devices no matter what the name is. Working so far.

GdeVos
answered 14 days ago
  • Thanks for sharing. I'll post the final policy, could you please take a look at?

0

We're going to update this policy example shortly - we apologize for any inconvenience. The policy example did not allow a customer to manage more than 1 MFA device for themselves because of the constraint on having the virtual MFA device being equal to the user name.

It's only possible to have a virtual MFA device associated with 1 user at a time. As an immediate workaround the resource can be removed from the statement allowing the creation of a virtual MFA device. In doing so for most customers it'd likely be adviseable to remove the DeleteVirtualMFADevice statement as to not allow someone to delete any unassigned MFA device that may be used later. Here's an example:

       {
            "Action": [
                "iam:CreateVirtualMFADevice"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
answered 14 days ago
  • What about these other actions, how the user is gonna manage them?

    "iam:DeactivateMFADevice", "iam:EnableMFADevice", "iam:GetUser", "iam:ListMFADevices", "iam:ResyncMFADevice"

  • Those operations are authorized on the user ARN, not the MFA device ARN. Should function as-is without change.

  • By keeping the resource as "Resource": "arn:aws:iam::*:user/${aws:username}" didn't not work properly. I tried for instance to remove my device "iam:DeactivateMFADevice" and got an error.

0

Based on @GdeVos answer above, I think the final policy should be like below. I ran a couple of tests and it seems working fine.

Do you agree?

{
    "Version":"2012-10-17",
    "Statement":[
       {
          "Sid":"AllowViewAccountInfo",
          "Effect":"Allow",
          "Action":"iam:ListVirtualMFADevices",
          "Resource":"*"
       },
       {
          "Sid":"AllowManageOwnVirtualMFADevice",
          "Effect":"Allow",
          "Action":[
             "iam:CreateVirtualMFADevice",
             "iam:DeleteVirtualMFADevice"
          ],
          "Resource":"arn:aws:iam::*:mfa/*",
          "Condition":{
             "StringLike":{
                "aws:PrincipalArn":[
                   "arn:aws:iam::*:user/${aws:username}"
                ]
             }
          }
       },
       {
          "Sid":"AllowManageOwnUserMFA",
          "Effect":"Allow",
          "Action":[
             "iam:DeactivateMFADevice",
             "iam:EnableMFADevice",
             "iam:GetUser",
             "iam:ListMFADevices",
             "iam:ResyncMFADevice"
          ],
          "Resource":"arn:aws:iam::*:user/*",
          "Condition":{
             "StringLike":{
                "aws:PrincipalArn":[
                   "arn:aws:iam::*:user/${aws:username}"
                ]
             }
          }
       },
       {
          "Sid":"DenyAllExceptListedIfNoMFA",
          "Effect":"Deny",
          "NotAction":[
             "iam:CreateVirtualMFADevice",
             "iam:EnableMFADevice",
             "iam:GetUser",
             "iam:ListMFADevices",
             "iam:ListVirtualMFADevices",
             "iam:ResyncMFADevice",
             "sts:GetSessionToken"
          ],
          "Resource":"*",
          "Condition":{
             "BoolIfExists":{
                "aws:MultiFactorAuthPresent":"false"
             }
          }
       }
    ]
 }
answered 14 days ago
  • I don't think you need to change the AllowManageOwnUserMFA section, that will still map to user/${aws:username} but otherwise, yes, this should work.

  • Actually by keeping the resource as "Resource": "arn:aws:iam::*:user/${aws:username}" on AllowManageOwnUserMFA section does not work properly. I tried for instance to remove my device "iam:DeactivateMFADevice" and got an policy unauthorized error.

0

In the meantime, since I think they don't have a proper solution now, I'm planning to use the following statement to allow MFA multiple devices self management to my users "${aws:username}*":

Of course, by using that I need to send them instructions to always use their username as part of MFA device name.

        {
            "Action": [
                "iam:CreateVirtualMFADevice",
                "iam:DeleteVirtualMFADevice"
            ],
            "Resource": "arn:aws:iam::*:mfa/${aws:username}*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "iam:DeactivateMFADevice",
                "iam:EnableMFADevice",
                "iam:GetUser",
                "iam:ListMFADevices",
                "iam:ResyncMFADevice"
            ],
            "Resource": "arn:aws:iam::*:user/${aws:username}*",
            "Effect": "Allow"
        
answered 15 days ago
  • Your second statement there is a bit broad - that may allow someone to update more than just their own MFA devices - particularly if someones username was a part of someone elses.

0

I have full admin access and I still can't add multiple MFA devices on my own account.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "", "Resource": "" } ] }

HMOF
answered 14 days ago
  • I have the same problem with one of our AWS accounts. Multiple MFA devices works fine on all of our other accounts. It's like it didn't get enabled on the one.

0

We are running into the same thing. When listing the MFA devices they are linked to a aws:username but we haven't found a way, if there is any, to use that in a policy to restrict it.

"MFADevices": [
        {
            "UserName": "a_username",
            "SerialNumber": "arn:aws:iam::<accountid>:mfa/<user-chosen-mfa-name>",
            "EnableDate": "2022-11-17...Z"
        },

It would have been a lot simpler if the name would be something like :mfa/<username>-<user-chosen-mfa-name> . :,-)

GdeVos
answered 19 days ago
0

I have the same question since the suggested policy does not work properly anymore with multiple MFA devices capability: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_aws_my-sec-creds-self-manage-mfa-only.html

am:DeactivateMFADevice does not work as well.

answered 18 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions