Choose Create policy.
Note: If you have enforced multi-factor authentication (MFA) for IAM users that use the AWS Command Line Interface (AWS CLI), then before you complete the next step, you must authenticate with MFA. An explicit deny message indicates that if MFA is false, then there is an IAM policy that denies actions:
{ "Version": "2012-10-17",
"Statement": [
{
"Sid": "BlockMostAccessUnlessSignedInWithMFA",
"Effect": "Deny",
"NotAction": [
"iam:CreateVirtualMFADevice",
"iam:EnableMFADevice",
"iam:ListMFADevices",
"iam:ListUsers",
"iam:ListVirtualMFADevices",
"iam:ResyncMFADevice",
"sts:GetSessionToken"
],
"Resource": "*",
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "false"
}
}
}
]
}
Because you use an MFA device, you must use an MFA token to authenticate access to AWS resources with the AWS CLI. Follow the steps in the article How do I use an MFA token to authenticate access to my AWS resources through the AWS CLI? Then, run the sts get-session-token AWS CLI command. Replace arn-of-the-mfa-device with the ARN of your MFA device and code-from-token with your token's code:
$ aws sts get-session-token --serial-number arn-of-the-mfa-device --token-code code-from-token
You can use temporary credentials by exporting the values to environment variables.
For example:
$ export AWS_ACCESS_KEY_ID=example-access-key-as-in-previous-output$ export AWS_SECRET_ACCESS_KEY=example-secret-access-key-as-in-previous-output$ export AWS_SESSION_TOKEN=example-session-token-as-in-previous-output