How to add a Second MFA device?
Hello,
Now that AWS has announced that they support multiple MFA devices, how do I go about actually adding one? When I click on Manage MFA device for my IAM user, I don't get any option to add a new MFA device.
- 最新
- 最多得票
- 最多評論
The policy that allows MFA to be configured uses the ${aws:username} variable and needs to be changed.
Change "arn:aws:iam::*:mfa/${aws:username}" to "arn:aws:iam::*:mfa/*" to allow secondary MFA devices to be registered.
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_iam_mfa-selfmanage.html
In my environment, the MFA device registration button appears after reloading the management console several times, perhaps because it is still cached.
If you have any other issues, please check if they are restricted by Permission Boundary or SCP in AWS Organizations. Additionally, make sure the account you are using is not for the AWS GovCloud (US) Region or AWS China Region.
This is not a good policy change to make. I just tested and verified that it grants access for all users to manage any user's MFA devices.
What @MJ1821 said.
We have a policy in place that allows users to manage their own MFA devices in the console, this only worked because the ARN for the device was automatically set to ...mfa/${aws:username} - now it's broken, because any name can be entered for the device and we'd have to use ...mfa/${aws:*} instead :(
Is there a way to fix this?
The policy-thing is another issue than the original question but here it is:
The ARN of the device is arn:aws:iam::<accoutnumber>:<devicetype>/user/<username>/<givenname>-<random-if-u2f>
Where devicetype = mfa or u2f or <something else for TOTP hw-device> so policy should be arn:aws:iam:::mfa/${aws:username}/ AND arn:aws:iam:::u2f/${aws:username}/
相關內容
- 已提問 6 個月前
- 已提問 1 年前
AWS 官方已更新 2 年前- AWS 官方已更新 2 年前
- AWS 官方已更新 1 年前
- AWS 官方已更新 2 年前
Currently it looks like it's available in some AWS Accounts but not all of them.
Same problem. But only on my older accounts. The newer accounts do have the option to add multiple MFA devices.
We are also seeing this issue on all of our IAM users, even when testing with the broadest IAM policy we're unable to add a second MFA for ourselves or another user.
We're seeing the same issue on one of our accounts. All of our other accounts are working fine. We even tried the IAM policy change from the answer below.