Reference Architecture - new users do not have access to setup MFA
Our RA was just deployed, but I've run into a problem where new users including the IAM Security User do not have permission to setup MFA from the web console. They are members of iam-user-self-mgmt, but when setting up an MFA device they receive this error: You need permissions You do not have the permission required to perform this operation. Ask your administrator to add permissions. User xxxx is not authorized to perform: iam:CreateVirtualMFADevice on resource xxxxx: because no identity-based policy allows the iam:CreateVirtualMFADevice action. Am I taking the wrong steps to Assign MFA? From the profile dropdown I am selecting Security Credentials and then under Multi-Factor Authentication I am clicking on Assign MFA Device. I give the device a name and select Authenticator App, click Next and then I receive the error. --- <ins datetime="2022-12-15T04:22:53Z"> <p><a href="https://support.gruntwork.io/hc/requests/109730">Tracked in ticket #109730</a></p> </ins> https://github.com/gruntwork-io/terraform-aws-security
This appears to be a result of the way the policy is written in the official security module. https://github.com/gruntwork-io/terraform-aws-security/blob/01900ebb91f0bdc29f5cc14a6d9d3dce817b92ea/modules/iam-policies/main.tf#L673 This policy is written as: "Resource": [ "arn:aws:iam::311698643943:user/${aws:username}", "arn:aws:iam::311698643943:mfa/${aws:username}" But, I think it ought to be written as: "Resource": [ "arn:aws:iam::311698643943:user/${aws:username}", "arn:aws:iam::311698643943:mfa/*" Or the documentation should tell us the MFA Device must be named exactly the same as your username.