Menu
AWS Identity and Access Management
User Guide

Enable and manage virtual MFA devices (AWS CLI, Tools for Windows PowerShell, or AWS API)

The following list shows the command line commands or API actions to use to enable a virtual MFA device.

Note

You must use the AWS Management Console to manage any MFA device for the root user in your AWS account. You cannot manage the MFA device for the root user with the AWS API, AWS CLI, Tools for Windows PowerShell, or any other command-line tool.

At this time you can manage SMS MFA devices only by using the AWS Management Console.

When you enable an MFA device from the AWS Management Console, the console performs many of these steps for you. If you instead create a virtual device using the AWS CLI, Tools for Windows PowerShell, or AWS API, then you must perform the steps manually and in the correct order. For example, to create a virtual MFA device, you must create the IAM object, extract the code as either a string or a QR code graphic, and then sync the device and associate it with an IAM user. See the Examples section of New-IAMVirtualMFADevice for more details. For a physical device, you skip the creation step and go directly to syncing the device and associating it with the user.

To create the virtual device entity in IAM to represent a virtual MFA device

These commands provide an ARN for the device that is used in place of a serial number in many of the following commands.

To enable an MFA device for use with AWS

These commands synchronize the device with AWS and associates it with a user or the root account. If the device is virtual, use the ARN of the virtual device as the serial number.

To deactivate a device

These commands disassociate the device from the user and deactivates it. If the device is virtual, use the ARN of the virtual device as the serial number. You must also separately delete the virtual device entity.

To list virtual MFA device entities

To resynchronize an MFA device

Use these commands if the devices is generating codes that are not accepted by AWS. If the device is virtual, use the ARN of the virtual device as the serial number.

To delete a virtual MFA device entity in IAM

After the device is disassociated from the user, you can delete the device entity.