How to enable MFA for an IAM User using AWS CLI

Pragti Chauhan
Feature image


In the event of a password theft or credential leakage, an attacker would be able to login into the AWS account of a user with only the password and gain access to the AWS account and services accessible to the user if MFA (multi-factor authentication) is disabled. The attacker could also run additional services or disrupt running operations based on their privileges.

AWS IAM provides MFA capabilities to its users. MFA provides an additional layer of security and must be enabled wherever possible. An attacker would not be able to login to an account, even if they had the password, as the account would require a multi factor authentication token to complete the login process.

In this article we will see how to enable MFA for an AWS IAM user using the AWS CLI.

Enable MFA for an IAM user via AWS CLI

To enable MFA for a user in AWS IAM, make sure you have the permissions to do so. If not, contact the authorized team member who will enable and set up MFA for the given user.

Following are the steps to enable MFA for an AWS user using AWS CLI:

  1. Run the following command to create a virtual MFA device for the user. In this article we will generate a QR code that will be scanned to set up the MFA device. Save the Serial Number that this command generates

    aws iam create-virtual-mfa-device --virtual-mfa-device-name <MFA_device_name> --outfile <QRCode_PNG_location_to_write> --bootstrap-method QRCodePNG

    Create virtual MFA device

  2. Use an app like Google Authenticator to scan the QR code that was saved from the previous command and obtain two consecutive passcodes generated by the MFA virtual device

  3. Run the following command to assign the virtual MFA device to a user

    aws iam  enable-mfa-device --user-name <IAM_username> --serial-number <MFA_ARN>  --authentication-code1 <auth_passcode_string_1> --authentication-code2 <auth_passcode_string_2>

    IAM User with MFA disabled

← Back to Academy