Do I need to sign up for IAM?
Step 3: Test your user's access
Sign in as the test user to verify that access to Amazon EC2 is blocked until the user creates an MFA device. The user can then sign in using that device.
Prerequisites
To perform the steps in this tutorial, you must already have the following:
• An AWS account that you can sign in to as an IAM user with administrative permissions.
• Your account ID number, which you type into the policy in Step 1.
To find your account ID number, on the navigation bar at the top of the page, choose Support and then choose Support Center. You can find your account ID under this page's Support menu.
• A virtual (software-based) MFA device (p. 113), U2F security key (p. 116), or hardware-based MFA device (p. 122).
• A test IAM user who is a member of a user group as follows:
Create user account Create and configure user group account MFAUser
Choose only the option for AWS Management Console access, and assign a password.
EC2MFA MFAUser
Do NOT attach any policies or otherwise grant permissions to this user group.
Step 1: Create a policy to enforce MFA sign-in
You begin by creating an IAM customer managed policy that denies all permissions except those required for IAM users to manage their own credentials and MFA devices.
1. Sign in to the AWS Management Console as a user with administrator credentials. To adhere to IAM best practices, don't sign in with your AWS account root user credentials. For more information, see Create individual IAM users.
2. Open the IAM console at https://console.aws.amazon.com/iam/.
3. In the navigation pane, choose Policies, and then choose Create policy.
4. Choose the JSON tab and copy the text from the following JSON policy document: AWS: Allows MFA-authenticated IAM users to manage their own credentials on the My Security Credentials page (p. 426).
5. Paste the policy text into the JSON text box. Resolve any security warnings, errors, or general warnings generated during policy validation (p. 478), and then choose Review policy.
Note
You can switch between the Visual editor and JSON tabs anytime. However, the policy above includes the NotAction element, which is not supported in the visual editor. ForStep 2: Attach policies to your test user group
this policy, you will see a notification on the Visual editor tab. Return to the JSON tab to continue working with this policy.
6. On the Review page, type Force_MFA for the policy name. For the policy description, type This policy allows users to manage their own passwords and MFA devices but nothing else unless they authenticate with MFA. Review the policy Summary to see the permissions granted by your policy, and then choose Create policy to save your work.
The new policy appears in the list of managed policies and is ready to attach.
Step 2: Attach policies to your test user group
Next you attach two policies to the test IAM user group, which will be used to grant the MFA-protected permissions.
1. In the navigation pane, choose User groups.
2. In the search box, type EC2MFA, and then choose the group name (not the check box) in the list.
3. Choose the Permissions tab, choose Add permissions, and then choose Attach policy.
4. On the Attach permission policies to EC2MFA group page, in the search box, type EC2Full. Then select the check box next to AmazonEC2FullAccess in the list. Don't save your changes yet.
5. In the search box, type Force, and then select the check box next to Force_MFA in the list.
6. Choose Attach policies.
Step 3: Test your user's access
In this part of the tutorial, you sign in as the test user and verify that the policy works as intended.
1. Sign in to your AWS account as MFAUser with the password you assigned in the previous section.
Use the URL: https://<alias or account ID number>.signin.aws.amazon.com/console 2. Choose EC2 to open the Amazon EC2 console and verify that the user has no permissions to do
anything.
3. In the navigation bar on the upper right, choose the MFAUser user name, and then choose My Security Credentials.
Related resources
4. Now add an MFA device. In the Multi-factor Authentication (MFA) section, choose Assign MFA device.
Note
You might receive an error that you are not authorized to performiam:DeleteVirtualMFADevice. This could happen if someone previously began assigning a virtual MFA device to this user and cancelled the process. To continue, you or another administrator must delete the user's existing MFA device. For more information, see I am not authorized to perform: iam:DeleteVirtualMFADevice (p. 690).
5. For this tutorial, we use a virtual (software-based) MFA device, such as the Google Authenticator app on a mobile phone. Choose Virtual MFA device, and then click Continue.
IAM generates and displays configuration information for the virtual MFA device, including a QR code graphic. The graphic is a representation of the secret configuration key that is available for manual entry on devices that do not support QR codes.
6. Open your virtual MFA app. (For a list of apps that you can use for hosting virtual MFA devices, see Virtual MFA Applications.) If the virtual MFA app supports multiple accounts (multiple virtual MFA devices), choose the option to create a new account (a new virtual MFA device).
7. Determine whether the MFA app supports QR codes, and then do one of the following:
• From the wizard, choose Show QR code. Then use the app to scan the QR code. For example, you might choose the camera icon or choose an option similar to Scan code, and then use the device's camera to scan the code.
• In the Manage MFA Device wizard, choose Show secret key, and then type the secret key into your MFA app.
When you are finished, the virtual MFA device starts generating one-time passwords.
8. In the Manage MFA Device wizard, in the MFA Code 1 box, type the one-time password that currently appears in the virtual MFA device. Wait up to 30 seconds for the device to generate a new one-time password. Then type the second one-time password into the MFA Code 2 box. Choose Assign MFA.
Important
Submit your request immediately after generating the codes. If you generate the codes and then wait too long to submit the request, the MFA device is successfully associated with the user. However, the MFA device is out of sync. This happens because time-based one-time passwords (TOTP) expire after a short period of time. If this happens, you can resync the device (p. 129).
The virtual MFA device is now ready to use with AWS.
9. Sign out of the console and then sign in as MFAUser again. This time AWS prompts you for an MFA code from your phone. When you get it, type the code in the box and then choose Submit.
10. Choose EC2 to open the Amazon EC2 console again. Note that this time you can see all the information and perform any actions you want. If you go to any other console as this user, you see access denied messages. The reason is that the policies in this tutorial grant access only to Amazon EC2.
Related resources
For related information found in the IAM User Guide, see the following resources:
• Using multi-factor authentication (MFA) in AWS (p. 111)
• Enabling MFA devices for users in AWS (p. 112)
• Using MFA devices with your IAM sign-in page (p. 82)
Sign in as the root user
Signing in to the AWS Management Console as an IAM user or root user
The AWS Management Console provides a web-based user interface that you can use to create and manage your AWS resources. For example, you can start and stop Amazon EC2 instances, create Amazon DynamoDB tables, create Amazon S3 buckets, and so on.
Before you can use the AWS Management Console, you must sign in to your AWS account. The process that you will use to sign in to your AWS account depends on what type of AWS user you are. There are two different types of users in AWS. You are either the account owner (root user) or you are an IAM user.
The root user is created when the AWS account is created using the email address and password that were used to create the account. IAM users are created by the root user or an IAM administrator within the AWS account.
If you do not remember your credentials or have trouble signing in using your credentials, see AWS sign-in issues (p. 68).
Contents
• Sign in as the root user (p. 63)
• Sign in as an IAM user (p. 64)
• Your AWS account ID and its alias (p. 66)
• Troubleshooting AWS sign-in or account issues (p. 68)
Sign in as the root user
Before you sign in to an AWS account as the root user, be sure that you have the following required information.
Requirements
• The email address used to create the AWS account.
• The password for the root user.
To sign in to an AWS account as the root user
1. Open https://console.aws.amazon.com/.2. If you have not signed in previously using this browser, the main sign-in page appears as follows.
Choose Root user, enter the email address associated with your account, and choose Next.
Sign in as an IAM user
If you have signed in as a root user previously using this browser, your browser might remember the email address for the AWS account. If so, you'll see the screen shown in the next step instead.
If you have signed in previously as an IAM user using this browser, your browser might display the IAM user sign in page instead. To return to the main sign-page, choose Sign in using root user email.
3. Enter your password and choose Sign in.
Sign in as an IAM user
Before you sign into an AWS account as an IAM user, be sure that you have the following required information. If you do not have this information, contact the administrator for the AWS account.
Requirements
• One of the following:
• The account alias.
• The 12-digit AWS account ID.
• The user name for your IAM user.
• The password for your IAM user.
Sign in as an IAM user
If you are a root user or IAM administrator and need to provide the AWS account ID or AWS account alias to an IAM user, see Your AWS account ID and its alias (p. 66).
If you are an IAM user, you can log in using either a sign-in URL or the main sign-in page.
To sign in to an AWS account as an IAM user using an IAM users sign-in URL
1. Open a browser and enter the following sign-in URL, replacing account_alias_or_id with the account alias or account ID provided by your administrator.
https://account_alias_or_id.signin.aws.amazon.com/console/
2. Enter your IAM user name and password and choose Sign in.
To sign in to an AWS account as an IAM user using the main sign-in page
1. Open https://console.aws.amazon.com/.2. If you have not signed in previously using this browser, the main sign-in page appears. Choose IAM user, enter the account alias or account ID, and choose Next.
Your AWS account ID and its alias
If you have signed in as an IAM user previously using this browser, your browser might remember the account alias or account ID for the AWS account. If so, you'll see the screen shown in the next step instead.
3. Enter your IAM user name and password and choose Sign in.
If you have signed in as an IAM user for a different AWS account previously using this browser, or you need to sign in as a root user instead, choose Sign in using root user email to return to the main sign-in page.
Your AWS account ID and its alias
To sign in to an AWS account as an IAM user, you must have an account alias or an account ID for the AWS account. If you are signed in to the AWS Management Console or have configured the AWS CLI or an AWS SDK with your account credentials, you can find the account alias or account ID for the AWS account. If you cannot sign in, ask your administrator for the information that you need to sign in.
Note
Account aliases are not secrets, and they will appear in your public-facing sign-in page URL. Do not include any sensitive information in your account alias.Topics
• Finding your AWS account ID (p. 66)
• About account aliases (p. 67)
• Creating, deleting, and listing an AWS account alias (p. 67)
Finding your AWS account ID
You can find the account ID for your AWS account using the following methods.
Finding Your Account ID using the console
In the navigation bar, choose Support, and then Support Center. Your currently signed-in 12-digit account number (ID) appears in the Support Center navigation pane.
About account aliases
Finding Your Account ID using the AWS CLI
Use the following command to view your user ID, account ID, and your user ARN:
• aws sts get-caller-identity
Finding Your Account ID using the API
Use the following API to view your user ID, account ID, and your user ARN:
• GetCallerIdentity
About account aliases
If you want the URL for your sign-in page to contain your company name (or other friendly identifier) instead of your AWS account ID, you can create an account alias. This section provides information about AWS account aliases and lists the API operations that you use to create an alias.
Your sign-in page URL has the following format, by default.
https://Your_Account_ID.signin.aws.amazon.com/console/
If you create an AWS account alias for your AWS account ID, your sign-in page URL looks like the following example.
https://Your_Account_Alias.signin.aws.amazon.com/console/
The original URL containing your AWS account ID remains active and can be used after you create your AWS account alias.
Tip
To create a bookmark for your account sign-in page in your web browser, you should manually type the sign-in URL in the bookmark entry. Don't use your web browser's "bookmark this page"feature.
Creating, deleting, and listing an AWS account alias
You can use the AWS Management Console, the IAM API, or the command line interface to create or delete your AWS account alias.
Considerations
• Your AWS account can have only one alias. If you create a new alias for your AWS account, the new alias overwrites the previous alias, and the URL containing the previous alias stops working.
• The account alias must be unique across all Amazon Web Services products. It must contain only digits, lowercase letters, and hyphens. For more information on limitations on AWS account entities, see IAM and AWS STS quotas (p. 731).
Creating, editing, and deleting aliases (console)
You can create, edit, and delete an account alias from the AWS Management Console.
AWS sign-in issues
To create, edit, or remove an account alias (console)
1. Sign in to the AWS Management Console and open the IAM console at https://
console.aws.amazon.com/iam/.
2. In the navigation pane, choose Dashboard.
3. In the AWS Account section, find Account Alias, and choose Create. If an alias already exists, then choose Edit.
4. Type the name you want to use for your alias, then choose Save changes.
5. To remove the alias, next to Account Alias choose Delete, and then choose Delete. The sign-in URL reverts to using your AWS account ID.
Creating, deleting, and listing aliases (AWS CLI)
To create an alias for your AWS Management Console sign-in page URL, run the following command:
• aws iam create-account-alias
To delete an AWS account ID alias, run the following command:
• aws iam delete-account-alias
To display your AWS account ID alias, run the following command:
• aws iam list-account-aliases
Creating, deleting, and listing aliases (AWS API)
To create an alias for your AWS Management Console sign-in page URL, call the following operation:
• CreateAccountAlias
To delete an AWS account ID alias, call the following operation:
• DeleteAccountAlias
To display your AWS account ID alias, call the following operation:
• ListAccountAliases
Troubleshooting AWS sign-in or account issues
Use the information here to help you troubleshoot sign-in and other AWS account issues. For step-by-step directions to sign in to an AWS account, see Signing in to the AWS Management Console as an IAM user or root user (p. 63).
If you are having trouble signing in to Amazon.com, see Amazon Customer Service instead.
Issues
• I need my AWS account ID or AWS account alias (p. 69)
• I forgot my IAM user name or password (p. 69)
I need my AWS account ID or AWS account alias
• I forgot the root user password for my AWS account (p. 69)
• I don't have access to the email for my AWS account (p. 69)
• I need to change the credit card for my AWS account (p. 69)
• I need to report fraudulent AWS account activity (p. 70)
• I need to close my AWS account (p. 70)
I need my AWS account ID or AWS account alias
If you are an IAM user and you are not signed in, you must ask your administrator for the AWS account ID or AWS account alias. You need this information, plus your IAM user name and password, to sign in to an AWS account.
I forgot my IAM user name or password
If you are an IAM user, your administrator provides your credentials. If you forget your password, you must ask your administrator to reset it.
For security purposes, AWS doesn't have access to view, provide, or change your credentials.
I forgot the root user password for my AWS account
If you are a root user and you have lost or forgot the password for your AWS account, you can reset your password. You must know the email address used to create the AWS account and you must have access to the email account. For more information, see Resetting lost or forgotten passwords or access keys for AWS (p. 110).
I don't have access to the email for my AWS account
When you create an AWS account, you provide an email address and password. These are the credentials for the AWS account root user. If you are not sure of the email address associated with your AWS account, check for saved correspondence from [email protected] to any email address for your organization that might have been used to open the AWS account.
If you know the email address but no longer have access to the email, first try to recover access to the email using one of the following options:
• If you own the domain for email address, you can restore a deleted email address. Alternatively, you can set up a catch-all for your email account, which "catches all" messages sent to email addresses that no longer exist in the mail server and redirects them to another email address.
• If the email address on the account is part of your corporate email system, we recommend that you contact your IT system administrators. They might be able to help you regain access to the email.
If you're still not able to sign in to your AWS account, you can find alternate support options at Contact us. Expand I cannot login to my AWS account and choose Request Support for AWS Account
Credentials. Provide the information in the form and choose Submit.
I need to change the credit card for my AWS account
To change the credit card for your AWS account, you must be able to sign in. AWS has protections in place that require you to prove that you're the account owner. For directions, see Managing your credit card payment methods in the AWS Billing and Cost Management User Guide.
I need to report fraudulent AWS account activity
I need to report fraudulent AWS account activity