MFA enforcement IAM policy bypass

Published Tue, Apr 25th, 2023


An AWS-recommended IAM policy that enforced MFA on access keys could have been bypassed due to a change implemented by AWS in November 2022 that allowed IAM users to assign multiple MFA devices to their account. Prior to this change, an attacker that had compromised credentials could not create and assign a new MFA device to bypass the MFA requirement as they would need to first deactivate the user’s existing MFA device. Organisations using SSO which enforces MFA, either via an external IdP or AWS SSO, were not affected by this issue.

Affected Services



None required

Tracked CVEs

No tracked CVEs


Disclosure Date
Thu, Jan 19th, 2023
Exploitablity Period
November 2022 until April 2023
Known ITW Exploitation
Detection Methods
Piercing Index Rating
Discovered by
Justin Moorcroft, MWR CyberSec