• If you are root/admin account, in order to configure a virtual MFA device, you must have physical access to the device.For example, if you are configuring
    MFA for a user who will use a smartphone to generate an OTP, you must have the smartphone available in order to finish the wizard. Because of this, you might want to let them configure the devices themselves. If the following policy is attached to a
    user or to a group that the user is in, the user can manage configure and manage his or her own virtual MFA device using the AWS Management Console.

{

  "Version": "2012-10-17",

  "Statement": [

    {

      "Sid": "AllowUsersToCreateDeleteTheirOwnVirtualMFADevices",

      "Effect": "Allow",

      "Action": ["iam:*VirtualMFADevice"],

      "Resource": ["arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:mfa/${aws:username}"]

    },

    {

      "Sid": "AllowUsersToEnableSyncDisableTheirOwnMFADevices",

      "Effect": "Allow",

      "Action": [

        "iam:DeactivateMFADevice",

        "iam:EnableMFADevice",

        "iam:ListMFADevices",

        "iam:ResyncMFADevice"

      ],

      "Resource": ["arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:user/${aws:username}"]

    },

    {

      "Sid": "AllowUsersToListVirtualMFADevices",

      "Effect": "Allow",

      "Action": ["iam:ListVirtualMFADevices"],

      "Resource": ["arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:mfa/*"]

    },

    {

      "Sid": "AllowUsersToListUsersInConsole",

      "Effect": "Allow",

      "Action": ["iam:ListUsers"],

      "Resource": ["arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:user/*"]

    }

  ]

}

Note:

  1. You can use a specific name such as "David" to replace ${aws:username},
    then this policy is attached to user David. As with the policies for accessing user-specific Amazon object, you'd have to create
    a separate policy for each user that includes the user's name, and then attach each policy to the individual users.
  2. When you use a policy variable (${aws:username})
    for the user name like this, you don't have to have a separate policy for each individual user. Instead, you can attach this new policy to an IAM group that includes everyone who should be allowed to manage their own access keys. When a user makes a request
    to modify his or her access key, IAM substitutes the user name from the current request for the ${aws:username} variable and
    evaluates the policy.

  • To configure and enable a virtual MFA device for a user

    • Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
    • In the navigation pane, click User and then select
      the user you want to enable the virtual MFA for.
    • In the user details pane, select Security Credentials,
      and then click Manage MFA Device.
    • In the Manage MFA Device wizard, select A
      virtual MFA device and then click Continue.
    • Confirm that a virtual MFA application is installed on the user's mobile device and then click Continue.
      (For a list of apps that you can use as virtual MFA devices, see Multi-Factor Authentication.)
      IAM generates and displays configuration information for the virtual MFA device, including a QR code similar to the following graphic.
    • With the Manage MFA Device wizard still open, open
      the virtual MFA application on the device. If the device supports QR codes, the easiest way to configure the application is to use the application to scan the QR code. If you cannot scan the code, you can enter the secret configuration key manually.

      • To use the QR code to configure the virtual MFA device, follow the app instructions for scanning the code. For example, you might need to tap the camera icon or tap a command like Scan
        account barcode, and then use the device's camera to scan the code.
      • If you cannot scan the code, enter the configuration information manually by typing the Secret Configuration
        Key value into the application. For example, to do this in the AWS Virtual MFA application, tapManually add
        account, and then type the secret configuration key and click Create.
      • NoteThe QR code and secret configuration key are unique and cannot be reused.
    • When you are finished configuring the device, the device starts generating six-digit numbers.
    • In the IAM Manage MFA Device wizard, in the Authentication
      Code 1 box, type the six-digit number that's currently displayed by the MFA device. Wait 30 seconds for the device to generate a new number, and then type the new six-digit number into the Authentication
      Code 2 box.Click Continue.

Note: If you are root/admin account, you can enable MFA for the users (need the users' mfa device or smart phone which runs virtual mfa device app) or let them enable it themselves via granting them privileges to enable MFA. 

Enable MFA for a user的更多相关文章

  1. Azure多因素认证

    什么是多重身份验证? 双重验证是需要多种验证方法的身份验证方法,可为用户登录和事务额外提供一层重要的安全保障. 它的工作原理是需要以下两种或多种验证方法: 用户知道的某样东西(通常为密码) 用户具有的 ...

  2. aws 试题

    /* Domain 1 Design Resilient Architectures 1. Which of the following statements regarding S3 storage ...

  3. 用Azure AD 实现Web 应用身份认证的Multi-Factor Authentication(MFA)

    最近客户有个需求,希望把面向public的Web应用中的终端用户数据库由Azure AD来实现,同时希望可以用MFA来实现用户身份认证.这个想法非常好,通过使用Azure的managed servic ...

  4. Azure MFA 守护你的账户安全

    一,引言 MFA 又名 "多因素身份认证",指用户在登录的时候提示输入其他形式的标识.如果只使用密码对用户进行身份验证,是特别不安全的,尤其是在密码泄露的情况下.为了提高安全性,启 ...

  5. Spring Enable annotation – writing a custom Enable annotation

    原文地址:https://www.javacodegeeks.com/2015/04/spring-enable-annotation-writing-a-custom-enable-annotati ...

  6. How those spring enable annotations work--转

    原文地址:http://blog.fawnanddoug.com/2012/08/how-those-spring-enable-annotations-work.html Spring's Java ...

  7. Windows API 设置窗口下控件Enable属性

    参考页面: http://www.yuanjiaocheng.net/webapi/create-crud-api-1-put.html http://www.yuanjiaocheng.net/we ...

  8. 在 ML2 中 enable local network - 每天5分钟玩转 OpenStack(79)

    前面完成了一系列准备工作,本节开始将创建各种 Neutorn 网络,我们首先讨论 local network. local network 的特点是不会与宿主机的任何物理网卡相连,也不关联任何的 VL ...

  9. Android Studio :enable vt-x in your bios security,已经打开还是报错的解决方法

    quote: For Windows 10: First of all, install the intelhaxm-android.exe located in the folder SDK\ext ...

随机推荐

  1. JS---如何避免用户在请求时“猛击”

    var isAjax=false;//是否正在执行ajax请求,此处表示不在拿数据 var getInfoByTrainCode=function () { if(isAjax) return;//如 ...

  2. 交易B(队列)

    临近考试,又把之前的上机的题目看了一遍,自己又尝试着敲代码,发现好多之前的代码现在看来都被自己复杂化了许多,于是把现在重写的代码再贴出来. 之前的题目和代码戳这里 #include<queue& ...

  3. Android内部自带的SQLite数据库操作dos命令

    1:什么叫做SQLite数据库 Android系统内核是Linux系统,Android系统很特殊,他自带了一个SQLite数据库,轻量型的一款嵌入式的数据库 它占用资源非常的低,在嵌入式设备中,可能只 ...

  4. js script中引用其他script

    在需要引用目标js中引用其他js依赖项 可以使用这个方法直接在js顶部加入这一行即可 document.write("<script type='text/javascript' sr ...

  5. android数据存储之外部存储(External Storage)

    Android设备支持外部存储器,可以是可移动存储器(如SD卡),也可以是内置在设备中的外部存储器(不可移动). 如果希望外部存储器上的文件只对本程序有用,并且当程序被卸载时目录中的文件自动被系统删除 ...

  6. Unity 之 Shader 对Z深度的偏移

    对Z深度的偏移 Offset 指令给了我们一个操作正常的ZTest 检测结果的手段. Offset有两个参数,这两个参数理解起来不是很直观,而且具体实现是和硬件相关的 下面在实际例子中看他的效果 Sh ...

  7. SQLServer idenity 字段跳值

    修改数据库实例的启动参数 然后修改SQLServer启动参数,打开SQLServer configuration manager,然后选择服务实例,点击右键属性,查看实例的属性界面,然后启动参数选项输 ...

  8. Excel列名 字母和数字的转换

    Excel的列名是由于字母组成的. A-Z 分别代表1-26  AA 是27 AB是28 以此类推. 以下是这种编码的转换方法,如果遇到需要用纯字母编号来表示数字的时候可以用到. /** * 类似EX ...

  9. Git之VS2010实践

    对于我们经常在VS2010下编程的开发人员来说,强大的SCM工具Git貌似对我们很陌生.对于Git,我在我的另一篇博客<Git学习笔记>中已做过介绍,下面我再简单介绍一下Git在VS201 ...

  10. C# ToString("x2")的理解

    1).转化为16进制. 2).大写X:ToString("X2")即转化为大写的16进制. 3).小写x:ToString("x2")即转化为小写的16进制. ...