Home / server / Questions / 483183
Accepted
Joe
Asked: 2013-02-28 13:19:51 +0800 CST

Can you require MFA for AWS IAM accounts?

  • 772

Is it possible to require Multi-factor Authentication (MFA) be enabled for specific/all IAM accounts in Amazon Web Services?

There are options for password requirements and it's clear how one can choose to add it to one's account, but it's not clear if there is an option to force users to have MFA.

amazon-web-services

6 Answers

  1. Best Answer

    After a bit of looking around, it appears that the answer is "kind of". In IAM, an administrator can configure a MFA for another IAM user. Although this may be a bit tricky if you are setting up a virtual MFA, it's possible. Then, if the user has not been granted permissions to update/remove their MFA, it is effectively required.

    While I have not yet determined the complete list of actions that should be denied (or simply not granted), this post seems to have the information, and I will update this answer once I have tested it.

    [Update]

    I was able to setup users as power-users (thereby not granting them access to an IAM functions, although I'm sure you could get more granular), and implement their MFA with them. Using this methodology, they will be unable to disable it.

    • 12

  2. The answer is yes, there is. By using a condition. For instance, for admin accounts:

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "*",
      "Resource": "*", 
      "Condition":
      {
          "Null":{"aws:MultiFactorAuthAge":"false"}
      }
    }
  ]
}

    It will enforce MFA for both password authentication and token-based authentication using the API.

    • 12

  3. The accepted answer is no longer valid AFAICT. AWS has documented how you can do this through their tutorial article here:

    https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_users-self-manage-mfa-and-creds.html

    I followed that for my new AWS Account and Team and it worked great.

    • 10

  4. Yes, you can require MFA for IAM accounts both for the web console, and for the awscli command line. In fact, it is not possible to reliably require MFA for the web console while not requiring it for the awscli command line, because both hit the same APIs. I say 'reliably' because with complex IAM policy it is possible to allow some awscli operations without MFA while enforcing MFA for the web console. However, the results are somewhat unpredictable, and besides, the IAM keys are equally if not more hazardous unprotected. My recommendation is to require it for both, and then perhaps create unprotected keys for special uses where MFA is absolutely contraindicated. For automated processes roles would be a better choice generally.

    To make MFA operations on the command line easier, I've created a set of bash scripts and a carefully crafted MFA enforcement policy example that make it easy to attach/detach vMFAd, and to start and manage MFA sessions. They work on macOS and Linux variants, but likely not on Windows (not tested).

    • 1

  5. Apparently not. It appears that MFA for IAM accounts is optional, although you'd do best to post to the AWS Support Forums for an authoritative answer.

    • 0

  6. We documented a few considerations for AWS API multifactor in general (where to add the conditions, what are the implications etc.) in the documentation for some custom tooling (https://github.com/kreuzwerker/awsu) we developed for using Yubikeys as source for the TOTP tokens. This makes working with roles and long-term credentials + session tokens pretty easy.

    • 0