• If you are root/admin account, in order to configure a virtual MFA device, you must have physical access to the device.For example, if you are configuring
    MFA for a user who will use a smartphone to generate an OTP, you must have the smartphone available in order to finish the wizard. Because of this, you might want to let them configure the devices themselves. If the following policy is attached to a
    user or to a group that the user is in, the user can manage configure and manage his or her own virtual MFA device using the AWS Management Console.

{

  "Version": "2012-10-17",

  "Statement": [

    {

      "Sid": "AllowUsersToCreateDeleteTheirOwnVirtualMFADevices",

      "Effect": "Allow",

      "Action": ["iam:*VirtualMFADevice"],

      "Resource": ["arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:mfa/${aws:username}"]

    },

    {

      "Sid": "AllowUsersToEnableSyncDisableTheirOwnMFADevices",

      "Effect": "Allow",

      "Action": [

        "iam:DeactivateMFADevice",

        "iam:EnableMFADevice",

        "iam:ListMFADevices",

        "iam:ResyncMFADevice"

      ],

      "Resource": ["arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:user/${aws:username}"]

    },

    {

      "Sid": "AllowUsersToListVirtualMFADevices",

      "Effect": "Allow",

      "Action": ["iam:ListVirtualMFADevices"],

      "Resource": ["arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:mfa/*"]

    },

    {

      "Sid": "AllowUsersToListUsersInConsole",

      "Effect": "Allow",

      "Action": ["iam:ListUsers"],

      "Resource": ["arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:user/*"]

    }

  ]

}

Note:

  1. You can use a specific name such as "David" to replace ${aws:username},
    then this policy is attached to user David. As with the policies for accessing user-specific Amazon object, you'd have to create
    a separate policy for each user that includes the user's name, and then attach each policy to the individual users.
  2. When you use a policy variable (${aws:username})
    for the user name like this, you don't have to have a separate policy for each individual user. Instead, you can attach this new policy to an IAM group that includes everyone who should be allowed to manage their own access keys. When a user makes a request
    to modify his or her access key, IAM substitutes the user name from the current request for the ${aws:username} variable and
    evaluates the policy.

  • To configure and enable a virtual MFA device for a user

    • Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
    • In the navigation pane, click User and then select
      the user you want to enable the virtual MFA for.
    • In the user details pane, select Security Credentials,
      and then click Manage MFA Device.
    • In the Manage MFA Device wizard, select A
      virtual MFA device and then click Continue.
    • Confirm that a virtual MFA application is installed on the user's mobile device and then click Continue.
      (For a list of apps that you can use as virtual MFA devices, see Multi-Factor Authentication.)
      IAM generates and displays configuration information for the virtual MFA device, including a QR code similar to the following graphic.
    • With the Manage MFA Device wizard still open, open
      the virtual MFA application on the device. If the device supports QR codes, the easiest way to configure the application is to use the application to scan the QR code. If you cannot scan the code, you can enter the secret configuration key manually.

      • To use the QR code to configure the virtual MFA device, follow the app instructions for scanning the code. For example, you might need to tap the camera icon or tap a command like Scan
        account barcode, and then use the device's camera to scan the code.
      • If you cannot scan the code, enter the configuration information manually by typing the Secret Configuration
        Key value into the application. For example, to do this in the AWS Virtual MFA application, tapManually add
        account, and then type the secret configuration key and click Create.
      • NoteThe QR code and secret configuration key are unique and cannot be reused.
    • When you are finished configuring the device, the device starts generating six-digit numbers.
    • In the IAM Manage MFA Device wizard, in the Authentication
      Code 1 box, type the six-digit number that's currently displayed by the MFA device. Wait 30 seconds for the device to generate a new number, and then type the new six-digit number into the Authentication
      Code 2 box.Click Continue.

Note: If you are root/admin account, you can enable MFA for the users (need the users' mfa device or smart phone which runs virtual mfa device app) or let them enable it themselves via granting them privileges to enable MFA. 

Enable MFA for a user的更多相关文章

  1. Azure多因素认证

    什么是多重身份验证? 双重验证是需要多种验证方法的身份验证方法,可为用户登录和事务额外提供一层重要的安全保障. 它的工作原理是需要以下两种或多种验证方法: 用户知道的某样东西(通常为密码) 用户具有的 ...

  2. aws 试题

    /* Domain 1 Design Resilient Architectures 1. Which of the following statements regarding S3 storage ...

  3. 用Azure AD 实现Web 应用身份认证的Multi-Factor Authentication(MFA)

    最近客户有个需求,希望把面向public的Web应用中的终端用户数据库由Azure AD来实现,同时希望可以用MFA来实现用户身份认证.这个想法非常好,通过使用Azure的managed servic ...

  4. Azure MFA 守护你的账户安全

    一,引言 MFA 又名 "多因素身份认证",指用户在登录的时候提示输入其他形式的标识.如果只使用密码对用户进行身份验证,是特别不安全的,尤其是在密码泄露的情况下.为了提高安全性,启 ...

  5. Spring Enable annotation – writing a custom Enable annotation

    原文地址:https://www.javacodegeeks.com/2015/04/spring-enable-annotation-writing-a-custom-enable-annotati ...

  6. How those spring enable annotations work--转

    原文地址:http://blog.fawnanddoug.com/2012/08/how-those-spring-enable-annotations-work.html Spring's Java ...

  7. Windows API 设置窗口下控件Enable属性

    参考页面: http://www.yuanjiaocheng.net/webapi/create-crud-api-1-put.html http://www.yuanjiaocheng.net/we ...

  8. 在 ML2 中 enable local network - 每天5分钟玩转 OpenStack(79)

    前面完成了一系列准备工作,本节开始将创建各种 Neutorn 网络,我们首先讨论 local network. local network 的特点是不会与宿主机的任何物理网卡相连,也不关联任何的 VL ...

  9. Android Studio :enable vt-x in your bios security,已经打开还是报错的解决方法

    quote: For Windows 10: First of all, install the intelhaxm-android.exe located in the folder SDK\ext ...

随机推荐

  1. at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

    控制台包空指针后跟这个异常,是因为控制层调用service时的失败,无法读到sql,问题在于controller在引入的service没有自动装配,在引入多个service时,每个service都要自 ...

  2. iOS中编写单例类的心得

    单例 1.认识过的单例类有哪些: NSUserDefaults.NSNotificationCenter.NSFileManager.UIApplication 2.单例类 单例类某个类在代码编写时使 ...

  3. SQL Server 2012 通用分页存储过程

    创建存储过程: USE [数据库名] GO SET ANSI_NULLS ON GO SET QUOTED_IDENTIFIER ON GO CREATE PROCedure [dbo].[Split ...

  4. 浅谈Oracle表之间各种连接

    Oracle表之间的连接分为三种: 1.内连接(自然连接) 2.外连接 2.1.左外连接(左边的表不加限制,查询出全部满足条件的结果) 2.2.右外连接(右边的表不加限制,查询出全部满足条件的结果) ...

  5. 自定义View的学习(一) 自绘制控件

    一.自绘控件 就是自己绘制的控件,通过onDraw()方法将控件绘制出来  自定义一个可点击的View  这个View可以记住用户点击的次数 public class CounterView exte ...

  6. Unity 之 Shader 对Z深度的偏移

    对Z深度的偏移 Offset 指令给了我们一个操作正常的ZTest 检测结果的手段. Offset有两个参数,这两个参数理解起来不是很直观,而且具体实现是和硬件相关的 下面在实际例子中看他的效果 Sh ...

  7. 清空IE缓存

    1.打开IE Internet选项 点击设置 2.打开临时文件 点击 查看文件 将目录下的 文件全部删除  重新打开网站即可 到此IE缓存就被删除.

  8. .NET使用Com组件的一点点教训笔记~

    中控IFACE系列的产品,二次开发包 zkemkeeper.dll 在system32 ,SySWoW64都注册了,就是他妈的用不了. 最后,在 system32 ,SySWoW64 注册了,然后把需 ...

  9. 使用AS编译jni文件无法编译出arm64-v8a,x86_64和mips64平台的.so文件的解决方法

    我用的插件版本是:classpath 'com.android.tools.build:gradle-experimental:0.4.0',AS集成和使用ndk编译项目参考官方demo:https: ...

  10. android中ColorStateList及StateListDrawable设置Selector

    写过android的代码相信大家对Selector并不陌生吧,下面来看看这段xml文件是如何定义的 <?xml version="1.0" encoding="ut ...