AWS YubiKey Recovery

TL;DR

Lost your AWS YubiKey? Don’t panic! This guide walks you through revoking the lost key, creating a new one, and re-establishing access to your AWS account. It covers MFA device removal, IAM user updates, and generating a new security key.

Step 1: Revoke Access for the Lost YubiKey

The first step is to prevent anyone from using your lost YubiKey to access your AWS account. You’ll do this by removing the MFA device associated with your IAM user.

1. Sign in as a different administrator: Log into the AWS Management Console using an alternative administrative account that still has access.
2. Navigate to IAM: Go to the Identity and Access Management (IAM) service.
3. Find your user: Select ‘Users’ from the left-hand menu, then choose the IAM user associated with the lost YubiKey.
4. Security credentials tab: Click on the ‘Security credentials’ tab.
5. Remove MFA device: Locate the ‘Multi-factor authentication (MFA)’ section and click ‘Deactivate’. Confirm your choice when prompted. Important: This immediately disables access using the lost YubiKey.

Step 2: Create a New Security Key

Now you need to create a new security key (YubiKey) for your IAM user.

1. Sign in with temporary credentials (if needed): If you’ve completely locked yourself out, you may need to use AWS support to generate temporary credentials.
2. Navigate to IAM: Go back to the Identity and Access Management (IAM) service.
3. Find your user: Select ‘Users’, then choose the IAM user.
4. Security credentials tab: Click on the ‘Security credentials’ tab again.
5. Upload an existing key or create a new one: In the ‘Multi-factor authentication (MFA)’ section, click ‘Assign MFA device’.
6. Choose your MFA type: Select ‘Virtual MFA device’ if you are using an authenticator app on your phone. If you want to use another YubiKey, select ‘U2F security key’.
7. Follow the prompts: AWS will provide a QR code and secret key. Use these with your chosen authentication method (e.g., Google Authenticator, Authy) or register the new YubiKey using the instructions provided by AWS.

Step 3: Test Your New Key

Before relying on the new key, verify it works correctly.

1. Sign out of your current session: Log out of the AWS Management Console.
2. Sign in with your IAM user: Attempt to sign in using your username and password, followed by the code generated by your new MFA device (or by tapping your new YubiKey).
3. Successful login: If you can successfully log in, your new key is working as expected.

Step 4: Consider IAM Roles for Enhanced Security

To reduce reliance on individual user credentials and improve security, consider using IAM roles instead of directly assigning permissions to users.

• Create a role: Define an IAM role with the necessary permissions.
• Assign the role: Grant access to resources based on the role, rather than attaching policies directly to your user.

Step 5: AWS Support (If Needed)

If you encounter issues or are completely locked out of your account, contact AWS Support for assistance.

• AWS Support Center: https://aws.amazon.com/support