docs.aws.amazon.com
Open in
urlscan Pro
18.66.147.89
Public Scan
URL:
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html
Submission: On November 29 via manual from US — Scanned from DE
Submission: On November 29 via manual from US — Scanned from DE
Form analysis 0 forms found in the DOM
Text Content
SELECT YOUR COOKIE PREFERENCES
We use essential cookies and similar tools that are necessary to provide our
site and services. We use performance cookies to collect anonymous statistics so
we can understand how customers use our site and make improvements. Essential
cookies cannot be deactivated, but you can click “Customize cookies” to decline
performance cookies.
If you agree, AWS and approved third parties will also use cookies to provide
useful site features, remember your preferences, and display relevant content,
including relevant advertising. To continue without accepting these cookies,
click “Continue without accepting.” To make more detailed choices or learn more,
click “Customize cookies.”
Accept all cookiesContinue without acceptingCustomize cookies
CUSTOMIZE COOKIE PREFERENCES
We use cookies and similar tools (collectively, "cookies") for the following
purposes.
ESSENTIAL
Essential cookies are necessary to provide our site and services and cannot be
deactivated. They are usually set in response to your actions on the site, such
as setting your privacy preferences, signing in, or filling in forms.
PERFORMANCE
Performance cookies provide anonymous statistics about how customers navigate
our site so we can improve site experience and performance. Approved third
parties may perform analytics on our behalf, but they cannot use the data for
their own purposes.
Allow performance category
Allowed
FUNCTIONAL
Functional cookies help us provide useful site features, remember your
preferences, and display relevant content. Approved third parties may set these
cookies to provide certain site features. If you do not allow these cookies,
then some or all of these services may not function properly.
Allow functional category
Allowed
ADVERTISING
Advertising cookies may be set through our site by us or our advertising
partners and help us deliver relevant marketing content. If you do not allow
these cookies, you will experience less relevant advertising.
Allow advertising category
Allowed
Blocking some types of cookies may impact your experience of our sites. You may
review and change your choices at any time by clicking Cookie preferences in the
footer of this site. We and selected third-parties use cookies or similar
technologies as specified in the AWS Cookie Notice.
CancelSave preferences
UNABLE TO SAVE COOKIE PREFERENCES
We will only store essential cookies at this time, because we were unable to
save your cookie preferences.
If you want to change your cookie preferences, try again later using the link in
the AWS console footer, or contact support if the problem persists.
Dismiss
Contact Us
English
Create an AWS Account
1. AWS
2. ...
3. Documentation
4. AWS Identity and Access Management
5. User Guide
Feedback
Preferences
AWS IDENTITY AND ACCESS MANAGEMENT
USER GUIDE
* What is IAM?
* When do I use IAM
* How IAM works
* Users in AWS
* Permissions and policies in IAM
* What is ABAC?
* Security features outside IAM
* Quick links to common tasks
* IAM console search
* Using AWS CloudShell
* Working with AWS SDKs
* Getting set up
* IAM management methods
* Your AWS account ID and its alias
* Getting started
* Security best practices and use cases
* Security best practices
* Root user best practices
* Business use cases
* Tutorials
* Grant access to the billing console
* Delegate access across AWS accounts using roles
* Create a customer managed policy
* Use attribute-based access control (ABAC)
* Use SAML session tags for ABAC
* Permit users to manage their credentials and MFA settings
* Identities
* AWS account root user
* Enable a virtual MFA device for your AWS account root user (console)
* Enable a hardware TOTP token for the AWS account root user (console)
* Enable a FIDO security key for the AWS account root user (console)
* Change the password
* Resetting a lost or forgotten root user password
* Creating access keys for the root user
* Deleting access keys for the root user
* Tasks that require root user
* Troubleshooting root user issues
* Related information
* Users
* Adding a user
* Controlling user access to the console
* How IAM users sign in to AWS
* Using MFA devices with your IAM sign-in page
* Managing users
* Changing permissions for a user
* Managing passwords
* Setting a password policy
* Managing user passwords
* Permitting IAM users to change their own passwords
* How an IAM user changes their own password
* Access keys
* Retrieving lost passwords or access keys
* Multi-factor authentication (MFA)
* Enabling MFA devices
* General steps for enabling MFA devices
* Enabling a virtual MFA device (console)
* Enabling a FIDO security key (console)
* Supported configurations for using FIDO security keys
* Enabling a hardware TOTP token (console)
* Enabling and managing virtual MFA devices (AWS CLI or AWS API)
* Checking MFA status
* Resynchronizing virtual and hardware MFA devices
* Deactivating MFA devices
* What if an MFA device is lost or stops working?
* Configuring MFA-protected API access
* Sample code: MFA
* Finding unused credentials
* Getting credential reports
* Using IAM with CodeCommit
* Using IAM with Amazon Keyspaces
* Managing server certificates
* User groups
* Creating user groups
* Managing user groups
* Listing IAM user groups
* Adding and removing users in an IAM user group
* Attaching a policy to an IAM user group
* Renaming an IAM user group
* Deleting a user group
* Roles
* Terms and concepts
* Common scenarios
* Providing access across AWS accounts
* Providing access for non AWS workloads
* Providing access to third-party AWS accounts
* Using an external ID for third-party access
* Providing access to AWS services
* The confused deputy problem
* Providing access through identity federation
* Identity providers and federation
* About web identity federation
* Using Amazon Cognito for mobile apps
* Using web identity federation API operations for mobile apps
* Identifying users with web identity federation
* Additional resources for web identity federation
* About SAML 2.0 federation
* Creating IAM identity providers
* Creating OIDC identity providers
* Obtaining the thumbprint for an OIDC Identity Provider
* Creating IAM SAML identity providers
* Configuring relying party trust and claims
* Integrating third-party SAML solution providers with AWS
* Configuring SAML assertions for the authentication response
* Enable SAML 2.0 federated users to access the AWS console
* Enabling custom identity broker access to the AWS console
* Service-linked roles
* Creating roles
* Creating a role for an IAM user
* Creating a role for an AWS service
* Creating a role for identity federation
* Creating a role for web Identity/OIDC federation
* Creating a role for SAML 2.0 federation
* Creating a role using custom trust policies
* Examples of policies for delegating access
* Using roles
* Granting a user permissions to switch roles
* Granting permissions to pass a role to a service
* Switching roles (console)
* Switching roles (AWS CLI)
* Switching roles (Tools for Windows PowerShell)
* Switching roles (AWS API)
* Using roles for applications on Amazon EC2
* Using instance profiles
* Revoking role temporary credentials
* Managing roles
* Modifying a role
* Modifying a role (console)
* Modifying a role (AWS CLI)
* Modifying a role (AWS API)
* Deleting roles or instance profiles
* Tagging IAM resources
* Tagging IAM users
* Tagging IAM roles
* Tagging customer managed policies
* Tagging IAM identity providers
* Tagging OpenID Connect (OIDC) identity providers
* Tagging IAM SAML identity providers
* Tagging instance profiles
* Tagging server certificates
* Tagging virtual MFA devices
* Session tags
* Temporary security credentials
* Requesting temporary security credentials
* Using temporary credentials with AWS resources
* Controlling permissions for temporary security credentials
* Permissions for AssumeRole API operations
* Monitor and control actions taken with assumed roles
* Permissions for GetFederationToken
* Permissions for GetSessionToken
* Disabling permissions
* Granting permissions to create credentials
* Managing AWS STS in an AWS Region
* Using AWS STS interface VPC endpoints
* Using bearer tokens
* Sample applications that use temporary credentials
* Additional resources for temporary credentials
* Log events with CloudTrail
* Access management
* Policies and permissions
* Managed policies and inline policies
* Choosing managed or inline
* Getting started with managed policies
* Converting inline policy to managed
* Deprecated AWS managed policies
* Permissions boundaries
* Identity vs resource
* Controlling access using policies
* Control access to IAM users and roles using tags
* Control access to AWS resources using tags
* Cross account resource access
* Forward access sessions
* Example policies
* AWS: Specific access during a date range
* AWS: Enable or disable AWS Regions
* AWS: Self-manage credentials with MFA (My security credentials)
* AWS: Specific access with MFA during a date range
* AWS: Self-manage credentials no MFA (My security credentials)
* AWS: Self-manage MFA device (My security credentials)
* AWS: Self-manage console password (My security credentials)
* AWS: Self-manage password, access keys, & SSH public keys (My
security credentials)
* AWS: Deny access based on requested Region
* AWS: Deny access based on source IP
* AWS: Deny access to Amazon S3 resources outside your account except
AWS Data Exchange
* Data Pipeline: Deny access to pipelines not created by user
* DynamoDB: Access specific table
* DynamoDB: Allow access to specific attributes
* DynamoDB: Allow item access based on a Amazon Cognito ID
* EC2: Attach or detach tagged EBS volumes
* EC2: Launch instances in a subnet (includes console)
* EC2: Manage security groups with the same tags (includes console)
* EC2: Start or stop instances a user has tagged (includes console)
* EC2: Start or stop instances based on tags
* EC2: Start or stop for matching tags
* EC2: Full access within a Region (includes console)
* EC2: Start or stop an instance, modify security group (includes
console)
* EC2: Requires MFA (GetSessionToken) for operations
* EC2: Limit terminating instances to IP range
* IAM: Access the policy simulator API
* IAM: Access the policy simulator console
* IAM: Assume tagged roles
* IAM: Allows and denies multiple services (includes console)
* IAM: Add specific tag to tagged user
* IAM: Add a specific tag
* IAM: Create only tagged users
* IAM: Generate credential reports
* IAM: Manage group membership (includes console)
* IAM: Manage a tag
* IAM: Pass a role to a service
* IAM: Read-only console access (no reporting)
* IAM: Read-only console access
* IAM: Specific users manage group (includes console)
* IAM: Setting account password requirements (includes console)
* IAM: Access the policy simulator API based on user path
* IAM: Access the policy simulator console based on user path
(includes console)
* IAM: MFA self-management
* IAM: Update credentials (includes console)
* IAM: View Organizations service last accessed information for a
policy
* IAM: Apply limited managed policies
* AWS: Deny access to resources outside your account except AWS
managed IAM policies
* Lambda: Service access to DynamoDB
* RDS: Full access within a Region
* RDS: Restore databases (includes console)
* RDS: Full access for tag owners
* S3: Access bucket if cognito
* S3: Access federated user home directory (includes console)
* S3: Full access with recent MFA
* S3: Access IAM user home directory (includes console)
* S3: Restrict management to a specific bucket
* S3: Read and write objects to a specific bucket
* S3: Read and write to a specific bucket (includes console)
* Managing IAM policies
* Creating IAM policies
* Creating IAM policies (console)
* Creating IAM policies (CLI)
* Creating IAM policies (API)
* Validating policies
* Generating policies
* Testing IAM policies
* Add or remove identity permissions
* Versioning IAM policies
* Editing IAM policies
* Deleting IAM policies
* Refining permissions using access information
* View IAM access information
* View access information for Organizations
* Example scenarios
* Action last accessed services and actions
* Understanding policies
* Policy summary (list of services)
* Access levels in policy summaries
* Service summary (list of actions)
* Action summary (list of resources)
* Example policy summaries
* Permissions required
* Example policies for IAM
* Code examples
* IAM examples
* Actions
* Add a user to a group
* Attach a policy to a role
* Attach a policy to a user
* Attach an inline policy to a role
* Create a SAML provider
* Create a group
* Create a policy
* Create a policy version
* Create a role
* Create a service-linked role
* Create a user
* Create an access key
* Create an alias for an account
* Create an inline policy for a group
* Create an inline policy for a user
* Create an instance profile
* Delete SAML provider
* Delete a group
* Delete a group policy
* Delete a policy
* Delete a role
* Delete a role policy
* Delete a server certificate
* Delete a service-linked role
* Delete a user
* Delete an access key
* Delete an account alias
* Delete an inline policy from a user
* Delete an instance profile
* Detach a policy from a role
* Detach a policy from a user
* Generate a credential report
* Get a credential report
* Get a detailed authorization report for your account
* Get a policy
* Get a policy version
* Get a role
* Get a server certificate
* Get a service-linked role's deletion status
* Get a summary of account usage
* Get a user
* Get data about the last use of an access key
* Get the account password policy
* List SAML providers
* List a user's access keys
* List account aliases
* List groups
* List inline policies for a role
* List inline policies for a user
* List policies
* List policies attached to a role
* List roles
* List server certificates
* List users
* Remove a user from a group
* Update a server certificate
* Update a user
* Update an access key
* Upload a server certificate
* Scenarios
* Build and manage a resilient service
* Create a group and add a user
* Create a user and assume a role
* Create read-only and read-write users
* Manage access keys
* Manage policies
* Manage roles
* Manage your account
* Roll back a policy version
* Work with the IAM Policy Builder API
* AWS STS examples
* Actions
* Assume a role
* Get a session token
* Scenarios
* Assume an IAM role that requires an MFA token
* Construct a URL for federated users
* Get a session token that requires an MFA token
* Security
* AWS security credentials
* AWS security audit guidelines
* Data protection
* Logging and monitoring
* Compliance validation
* Resilience
* Infrastructure security
* Configuration and vulnerability analysis
* AWS managed policies
* IAM Access Analyzer
* Findings for external and unused access
* How IAM Access Analyzer findings work
* Getting started with IAM Access Analyzer findings
* Findings dashboard
* Working with findings
* Reviewing findings
* Filtering findings
* Archiving findings
* Resolving findings
* Supported resource types
* Settings
* Archive rules
* Monitoring with EventBridge
* Security Hub integration
* Logging with CloudTrail
* IAM Access Analyzer filter keys
* Using service-linked roles
* Preview access
* Previewing access in Amazon S3 console
* Previewing access with IAM Access Analyzer APIs
* Checks for validating policies
* IAM Access Analyzer policy validation
* Policy check reference
* Custom policy checks
* IAM Access Analyzer policy generation
* IAM Access Analyzer policy generation services
* IAM Access Analyzer quotas
* Troubleshooting IAM
* General issues
* Access denied error messages
* IAM policies
* FIDO security keys
* IAM roles
* IAM and Amazon EC2
* IAM and Amazon S3
* SAML 2.0 federation
* Viewing a SAML response in your browser
* Reference
* Amazon Resource Names (ARNs)
* IAM identifiers
* IAM and AWS STS quotas
* Services that work with IAM
* Signing AWS API requests
* Signature Version 4 request elements
* Authentication methods
* Create a signed request
* Request signature examples
* Troubleshoot
* Policy reference
* JSON element reference
* Version
* Id
* Statement
* Sid
* Effect
* Principal
* NotPrincipal
* Action
* NotAction
* Resource
* NotResource
* Condition
* Condition operators
* Conditions with multiple context keys or values
* Single-valued vs. multivalued context keys
* Condition policy examples
* Multivalued context key examples
* Single-valued context key policy examples
* Variables and tags
* Supported data types
* Policy evaluation logic
* Cross-account policy evaluation logic
* Policy grammar
* AWS managed policies for job functions
* Creating roles and attaching policies (console)
* Global condition keys
* IAM condition keys
* Actions, resources, and condition keys
* Resources
* Making HTTP query requests
* Document history
Using multi-factor authentication (MFA) in AWS - AWS Identity and Access
Management
AWSDocumentationAWS Identity and Access ManagementUser Guide
What is MFA?
USING MULTI-FACTOR AUTHENTICATION (MFA) IN AWS
PDFRSS
For increased security, we recommend that you configure multi-factor
authentication (MFA) to help protect your AWS resources. You can enable MFA for
the AWS account root user and IAM users. When you enable MFA for the root user,
it affects only the root user credentials. IAM users in the account are distinct
identities with their own credentials, and each identity has its own MFA
configuration. You can register up to eight MFA devices of any combination of
the currently supported MFA types with your AWS account root user and IAM users.
For more information about supported MFA types see What is MFA?. With multiple
MFA devices, only one MFA device is needed to sign in to the AWS Management
Console or create a session through the AWS CLI as that user.
NOTE
We recommend that you require your human users to use temporary credentials when
accessing AWS. Have you considered using AWS IAM Identity Center? You can use
IAM Identity Center to centrally manage access to multiple AWS accounts and
provide users with MFA-protected, single sign-on access to all their assigned
accounts from one place. With IAM Identity Center, you can create and manage
user identities in IAM Identity Center or easily connect to your existing SAML
2.0 compatible identity provider. For more information, see What is IAM Identity
Center? in the AWS IAM Identity Center User Guide.
WHAT IS MFA?
MFA adds extra security because it requires users to provide unique
authentication from an AWS supported MFA mechanism in addition to their regular
sign-in credentials when they access AWS websites or services:
* FIDO security key – FIDO Certified hardware security keys are provided by
third-party providers. The FIDO Alliance maintains a list of all
FIDOCertified products that are compatible with FIDO specifications. FIDO
authentication standards are based on public key cryptography, which enables
strong, phishing-resistant authentication that is more secure than passwords.
FIDO security keys support multiple root accounts and IAM users using a
single security key. For more information about enabling FIDO security keys,
see Enabling a FIDO security key (console).
* Virtual MFA devices – A virtual authenticator application that runs on a
phone or other device and emulates a physical device. Virtual authenticator
apps implement the time-based one-time password (TOTP) algorithm and support
multiple tokens on a single device. The user must type a valid code from the
device on a second webpage during sign-in. Each virtual MFA device assigned
to a user must be unique. A user can't type a code from another user's
virtual MFA device to authenticate. Because they can run on unsecured mobile
devices, virtual MFA might not provide the same level of security as FIDO
security keys. We do recommend that you use a virtual MFA device while
waiting for hardware purchase approval or while you wait for your hardware to
arrive. For a list of a few supported apps that you can use as virtual MFA
devices, see Multi-Factor Authentication. For instructions on setting up a
virtual MFA device with AWS, see Enabling a virtual multi-factor
authentication (MFA) device (console).
* Hardware TOTP token – A hardware device that generates a six-digit numeric
code based on the time-based one-time password (TOTP) algorithm. The user
must type a valid code from the device on a second webpage during sign-in.
Each MFA device assigned to a user must be unique. A user cannot type a code
from another user's device to be authenticated. For information on supported
hardware MFA devices, see Multi-Factor Authentication. For instructions on
setting up a hardware TOTP token with AWS, see Enabling a hardware TOTP token
(console).
NOTE
SMS text message-based MFA – AWS ended support for enabling SMS multi-factor
authentication (MFA). We recommend that customers who have IAM users that use
SMS text message-based MFA switch to one of the following alternative
methods: FIDO security key, virtual (software-based) MFA device, or hardware
MFA device. You can identify the users in your account with an assigned SMS
MFA device. To do so, go to the IAM console, choose Users from the navigation
pane, and look for users with SMS in the MFA column of the table.
TOPICS
* Enabling MFA devices for users in AWS
* Checking MFA status
* Resynchronizing virtual and hardware MFA devices
* Deactivating MFA devices
* What if an MFA device is lost or stops working?
* Configuring MFA-protected API access
* Sample code: Requesting credentials with multi-factor authentication
Javascript is disabled or is unavailable in your browser.
To use the Amazon Web Services Documentation, Javascript must be enabled. Please
refer to your browser's Help pages for instructions.
Document Conventions
Retrieving lost passwords or access keys
Enabling MFA devices
Did this page help you? - Yes
Thanks for letting us know we're doing a good job!
If you've got a moment, please tell us what we did right so we can do more of
it.
Did this page help you? - No
Thanks for letting us know this page needs work. We're sorry we let you down.
If you've got a moment, please tell us how we can make the documentation better.
DID THIS PAGE HELP YOU?
Yes
No
Provide feedback
NEXT TOPIC:
Enabling MFA devices
PREVIOUS TOPIC:
Retrieving lost passwords or access keys
NEED HELP?
* Try AWS re:Post
* Connect with an AWS IQ expert
PrivacySite termsCookie preferences
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
ON THIS PAGE
* What is MFA?
DID THIS PAGE HELP YOU? - NO
Thanks for letting us know this page needs work. We're sorry we let you down.
If you've got a moment, please tell us how we can make the documentation better.
Feedback