Issue With IAM Supporting Multiple MFA Devices

A recently reported issue in AWS's multi-MFA support for IAM users could arise when an IAM user possessed long-term access key credentials, had the privilege to add MFA without using it, and had access privileges configured to increase after adding MFA. Under these conditions, possession of access key and secret key alone was equivalent to having both credentials and a configured MFA. The issue stemmed from a combination of the new multi-MFA feature and self-management of MFA devices by IAM users with restricted access prior to adding an MFA. The issue did not affect AWS Management Console-based access or federated principals. As of April 21, 2023, the issue has been remediated by requiring IAM users with existing MFAs to use temporary credentials obtained via sts:GetSessionToken and an existing MFA to manage their MFA devices using access key and secret key credentials. AWS notified affected customers and recommended they confirm the correctness of their MFA configurations. The issue was identified and responsibly disclosed by researchers at MWR Cybersec.