Setting up an AWS account > MFA for AWS Accounts > Hardware MFA Device

Hardware MFA Device

The following steps require a hardware MFA device.

Enabling a hardware MFA device through Console

A hardware MFA device generates a six-digit numeric code based upon a time-synchronized one-time password algorithm. Hardware MFA devices and U2F security keys are both physical devices that you purchase. The difference is that hardware MFA devices generate a code that you view and then enter when prompted when signing it to AWS.

Sign-in to the AWS Console.
In the upper right corner, you’ll see your account name, select and select My Security Credentials.

Note: To manage a hardware MFA device for your own IAM user while protecting sensitive MFA-related actions, you must have the permissions from the following policy.

In the left bar, select Policies then select Create policy. Select JSON tab and paste the policy document from below:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowManageOwnUserMFA",
            "Effect": "Allow",
            "Action": [
                "iam:DeactivateMFADevice",
                "iam:EnableMFADevice",
                "iam:GetUser",
                "iam:ListMFADevices",
                "iam:ResyncMFADevice"
            ],
            "Resource": "arn:aws:iam::*:user/${aws:username}"
        },
        {
            "Sid": "DenyAllExceptListedIfNoMFA",
            "Effect": "Deny",
            "NotAction": [
                "iam:EnableMFADevice",
                "iam:GetUser",
                "iam:ListMFADevices",
                "iam:ResyncMFADevice"
            ],
            "Resource": "arn:aws:iam::*:user/${aws:username}",
            "Condition": {
                "BoolIfExists": {
                    "aws:MultiFactorAuthPresent": "false"
                }
            }
        }
    ]
}

Select Next: Tags. You’ll be presented with a screen about Tags, a tool used to identify groups of AWS resources.
Select Next: Review. This is a screen that allows you to review the policy that you are creating.
Enter the name of the policy (for example, MFAHardDevice) and select Create policy.

MFA Policy

In the left bar, select Dashboard and then select Enable MFA.

Dashboard

Expand Multi-factor authentication (MFA) and then select Active MFA.

MFA Section

Under Manage MFA Device, select Other Hardware MFA Device then press Continue.
Enter Serial Number in the back of the device.

Enter MFA code 1. Wait 30 seconds or until the code changes, then enter MFA code 2.
Select Assign MFA.