or run

npx @tessl/cli init
Log in

Version

Tile

Overview

Evals

Files

docs

access-keys-credentials.mdaccount-management.mdclient-config.mdgroups-roles.mdidentity-providers.mdindex.mdinstance-profiles.mdmfa-devices.mdpolicy-management.mduser-management.md
tile.json

mfa-devices.mddocs/

MFA Devices

Multi-Factor Authentication (MFA) device management for securing IAM user access with time-based one-time passwords (TOTP) and hardware tokens.

Capabilities

Create Virtual MFA Device

Creates a new virtual MFA device for the AWS account. Virtual MFA devices use TOTP applications like Google Authenticator or Authy.

/**
 * Creates a new virtual MFA device for the AWS account
 * @param VirtualMFADeviceName - The name of the virtual MFA device
 * @param Path - The path for the virtual MFA device (default: /)
 */
interface CreateVirtualMFADeviceCommandInput {
  VirtualMFADeviceName: string;
  Path?: string;
}

interface CreateVirtualMFADeviceCommandOutput {
  VirtualMFADevice?: VirtualMFADevice;
}

Usage Example:

import { IAMClient, CreateVirtualMFADeviceCommand } from "@aws-sdk/client-iam";

const client = new IAMClient({ region: "us-east-1" });

const command = new CreateVirtualMFADeviceCommand({
  VirtualMFADeviceName: "MyVirtualMFADevice",
  Path: "/mfa/"
});

const result = await client.send(command);
console.log("MFA Device created:", result.VirtualMFADevice?.SerialNumber);

Enable MFA Device

Enables an MFA device and associates it with an IAM user. Requires two consecutive authentication codes to verify synchronization.

/**
 * Enables the specified MFA device and associates it with the specified IAM user
 * @param UserName - The name of the IAM user
 * @param SerialNumber - The serial number that uniquely identifies the MFA device
 * @param AuthenticationCode1 - First authentication code emitted by the device
 * @param AuthenticationCode2 - Second authentication code emitted by the device
 */
interface EnableMFADeviceCommandInput {
  UserName: string;
  SerialNumber: string;
  AuthenticationCode1: string;
  AuthenticationCode2: string;
}

Usage Example:

import { IAMClient, EnableMFADeviceCommand } from "@aws-sdk/client-iam";

const command = new EnableMFADeviceCommand({
  UserName: "test-user",
  SerialNumber: "arn:aws:iam::123456789012:mfa/MyVirtualMFADevice",
  AuthenticationCode1: "123456", // Current TOTP code
  AuthenticationCode2: "789012"  // Next TOTP code (after 30 seconds)
});

await client.send(command);

Deactivate MFA Device

Deactivates the specified MFA device and removes it from association with the user name for which it was originally enabled.

/**
 * Deactivates the specified MFA device and removes it from the IAM user
 * @param UserName - The name of the user whose MFA device you want to deactivate
 * @param SerialNumber - The serial number that uniquely identifies the MFA device
 */
interface DeactivateMFADeviceCommandInput {
  UserName?: string;
  SerialNumber: string;
}

Delete Virtual MFA Device

Deletes a virtual MFA device. The device must first be deactivated before it can be deleted.

/**
 * Deletes a virtual MFA device
 * @param SerialNumber - The serial number that uniquely identifies the MFA device
 */
interface DeleteVirtualMFADeviceCommandInput {
  SerialNumber: string;
}

List MFA Devices

Lists the MFA devices for an IAM user.

/**
 * Lists the MFA devices for an IAM user
 * @param UserName - The name of the user whose MFA devices you want to list
 * @param Marker - Use this parameter only when paginating results
 * @param MaxItems - Maximum number of items to return
 */
interface ListMFADevicesCommandInput {
  UserName?: string;
  Marker?: string;
  MaxItems?: number;
}

interface ListMFADevicesCommandOutput {
  MFADevices: MFADevice[];
  IsTruncated?: boolean;
  Marker?: string;
}

List Virtual MFA Devices

Lists the virtual MFA devices defined in the AWS account by assignment status.

/**
 * Lists the virtual MFA devices defined in the AWS account
 * @param AssignmentStatus - The status (Unassigned, Assigned, or Any) of the devices to list
 * @param Marker - Use this parameter only when paginating results
 * @param MaxItems - Maximum number of items to return
 */
interface ListVirtualMFADevicesCommandInput {
  AssignmentStatus?: AssignmentStatusType;
  Marker?: string;
  MaxItems?: number;
}

interface ListVirtualMFADevicesCommandOutput {
  VirtualMFADevices: VirtualMFADevice[];
  IsTruncated?: boolean;
  Marker?: string;
}

Get MFA Device

Retrieves information about the specified MFA device.

/**
 * Retrieves information about the specified MFA device
 * @param SerialNumber - Serial number that uniquely identifies the MFA device
 * @param UserName - The friendly name identifying the user
 */
interface GetMFADeviceCommandInput {
  SerialNumber: string;
  UserName?: string;
}

interface GetMFADeviceCommandOutput {
  SerialNumber: string;
  UserName?: string;
  EnableDate?: Date;
}

Resync MFA Device

Synchronizes the specified MFA device with its IAM resource object on the AWS servers.

/**
 * Synchronizes the specified MFA device with its IAM resource object
 * @param UserName - The name of the user whose MFA device you want to resynchronize
 * @param SerialNumber - Serial number that uniquely identifies the MFA device
 * @param AuthenticationCode1 - An authentication code emitted by the device
 * @param AuthenticationCode2 - A subsequent authentication code emitted by the device
 */
interface ResyncMFADeviceCommandInput {
  UserName: string;
  SerialNumber: string;
  AuthenticationCode1: string;
  AuthenticationCode2: string;
}

MFA Device Tagging

Tag and untag MFA devices for organization and access control.

/**
 * Adds one or more tags to an IAM virtual MFA device
 * @param SerialNumber - The unique identifier for the IAM virtual MFA device
 * @param Tags - The list of tags to attach to the MFA device
 */
interface TagMFADeviceCommandInput {
  SerialNumber: string;
  Tags: Tag[];
}

/**
 * Removes the specified tags from the IAM virtual MFA device
 * @param SerialNumber - The unique identifier for the IAM virtual MFA device
 * @param TagKeys - A list of key names as a simple array of strings
 */
interface UntagMFADeviceCommandInput {
  SerialNumber: string;
  TagKeys: string[];
}

/**
 * Lists the tags attached to the specified IAM virtual MFA device
 * @param SerialNumber - The unique identifier for the IAM virtual MFA device
 * @param Marker - Use this parameter only when paginating results
 * @param MaxItems - Maximum number of items to return
 */
interface ListMFADeviceTagsCommandInput {
  SerialNumber: string;
  Marker?: string;
  MaxItems?: number;
}

Types

interface VirtualMFADevice {
  SerialNumber: string;
  Base32StringSeed?: Uint8Array;
  QRCodePNG?: Uint8Array;
  User?: User;
  EnableDate?: Date;
  Tags?: Tag[];
}

interface MFADevice {
  UserName: string;
  SerialNumber: string;
  EnableDate: Date;
}

enum AssignmentStatusType {
  Assigned = "Assigned",
  Unassigned = "Unassigned",
  Any = "Any"
}

Security Considerations

Important: The seed information contained in the QR code and Base32 string should be treated like secret access information. Protect the seed information as you would AWS access keys or passwords. After provisioning your virtual device, ensure that the information is destroyed following secure procedures.

Common Workflow

  1. Create Virtual MFA Device - Generate QR code and Base32 seed
  2. Configure TOTP App - Scan QR code or enter Base32 seed in authenticator app
  3. Enable MFA Device - Associate device with user using two consecutive codes
  4. Use MFA - User must provide TOTP code for subsequent logins
  5. Manage Device - Resync if needed, tag for organization, deactivate/delete when no longer needed