Yubikey and AWS IAM

October 1, 2018

IAM gets Yubikey integration

yubi/iam what?

If you use Amazon Web Services (AWS) you’ll have come across IAM (Identity Access Manager). Its how you secure and grant users/instances permissions to do actions within your account, that may be allow a user to be a power user for example. You can require a user to use a password and MFA device. Until recently this could have been a gemalto keyfob or card or a virtual device on your phone. These would generate a new code ever XX seconds and protect your account from brute force attempts.

So whats a yubikey?

Well let me start by saying I’m a BIG fan of these devices. They generate a token or OTP (One Time Password) for loging into many sites, GMail, Facebook and many others. I’ve had one for years and started off with the green plastic Kickstarter Edition! The current version the 5C supports many flavours of MFA auth including FIDO2, U2F, Smart card, OTP to name a few.

As of a couple of days ago the AWS console now supports using a Yubikey for MFA using U2F. YAY!!!! I’m currently working with a 4C nano (usb c version) as it fits into my macbook nicely, but this setup should work with any 4+ device.

The latest version is the 5C and you can buy them here:

https://www.yubico.com/products/yubikey-hardware/

First things first

I use Firefox Quantum, since FF v57 U2F support has been availiable….. but its not enabled be default. So if you are using FF do this first:

Enable U2F in Firefox

Securing IAM with Yubikey MFA and U2F

1.) Right lets enable MFA for your IAM user. Go to the IAM dashboard and select the user you want to enable the yubikey for. If they have MFA on a different device you’ll need to remove this first, If not click on the Manage link next to the Assigned MFA device section.

Enable MFA

2.) Next we need to select the new option on the MFA menu, the U2F (yubikey) option.

Select U2F

3.) Now you will be prompted to insert the yubikey and press the button.

Enable U2F

4.) Thats it you are enabled! Easy wasn’t it?

Complete U2F

Putting it to the test.

Right if you now log out and enter your user name and password in the same way as before, you’ll now be prompted by the MFA auth page to insert your yubikey (if its not still in there) and press the button.

U2F Login

Bingo you should now be logged in and ready to work as normal. I’ll get hold of some of these devices and if you see me at some events just ask and I’ll hand a few out!