Reference Architecture - new users do not have access to setup MFA

[drafie]

Our RA was just deployed, but I've run into a problem where new users including the IAM Security User do not have permission to setup MFA from the web console. They are members of iam-user-self-mgmt, but when setting up an MFA device they receive this error:

You need permissions
You do not have the permission required to perform this operation. Ask your administrator to add permissions.

User xxxx is not authorized to perform: iam:CreateVirtualMFADevice on resource xxxxx: because no identity-based policy allows the iam:CreateVirtualMFADevice action.

Am I taking the wrong steps to Assign MFA? From the profile dropdown I am selecting Security Credentials and then under Multi-Factor Authentication I am clicking on Assign MFA Device. I give the device a name and select Authenticator App, click Next and then I receive the error.

---

Tracked in ticket #109730

https://github.com/gruntwork-io/terraform-aws-security

[drafie]

This appears to be a result of the way the policy is written in the official security module.

https://github.com/gruntwork-io/terraform-aws-security/blob/01900ebb91f0bdc29f5cc14a6d9d3dce817b92ea/modules/iam-policies/main.tf#L673

This policy is written as:

        "Resource": [
            "arn:aws:iam::311698643943:user/${aws:username}",
            "arn:aws:iam::311698643943:mfa/${aws:username}"

But, I think it ought to be written as:

        "Resource": [
            "arn:aws:iam::311698643943:user/${aws:username}",
            "arn:aws:iam::311698643943:mfa/*"

Or the documentation should tell us the MFA Device must be named exactly the same as your username.