Assuming an IAM role
Once you have completed registering an MFA device and have logged out and back in to the AWS console using MFA, you now meet the requirements that cause the following statement in the RequireMFAPolicy you created back previously to not be applied:
{
"Sid": "DenyEverythingExceptForBelowUnlessMFAd",
"Effect": "Deny",
"NotAction": [
"iam:ListVirtualMFADevices",
"iam:ListMFADevices",
"iam:ListUsers",
"iam:ListAccountAliases",
"iam:CreateVirtualMFADevice",
"iam:EnableMFADevice",
"iam:ResyncMFADevice",
"iam:ChangePassword",
"iam:CreateLoginProfile",
"iam:DeleteLoginProfile",
"iam:GetAccountPasswordPolicy",
"iam:GetAccountSummary",
"iam:GetLoginProfile",
"iam:UpdateLoginProfile"
],
"Resource": "*",
"Condition": {
"Null": {
"aws:MultiFactorAuthAge": "true"
}
}
}
In the preceding code, it's important to note that the IAM effect of Deny is absolute—as soon as IAM encounters a Deny for a given permission or set of permissions, there is no way for that permission to be permitted. The Condition property however makes this broad reaching Deny conditional—it will only be applied in the event that the special condition aws:MultiFactorAuthAge is false, which is the case if you have logged in without MFA.
Given that the IAM user has logged in via MFA and is attached to the Administrators group that has permission to assume the admin role, there is nothing in the RequireMFAPolicy that is denying this action, so you should be able to now assume the admin role.
To assume the admin role using the AWS console, click on the drop down that reads <username> @ <account-name-or-id> and select Switch Role:
After clicking on the Switch Role button, you will be prompted to enter an account ID or name, and the role that you want to assume in the configure account:
You should now notice that the header in the AWS console indicates that you have to assume the admin role, and you now have full administrative access to your AWS account:
