Home > Net >  AWS IAM Profiles - Why so hard to enforce MFA?
AWS IAM Profiles - Why so hard to enforce MFA?

Time:12-03

Hi got AWS and IAM profiles. Currently users have the option to setup their own MFA but it seems like there is no way I can see for the root user to enforce MFA on its users it gives access to. Surely given the current security issues this is something that should be promoted to enforce. Am I missing something here? Is there a way to enforce MFA on IAM users?

CodePudding user response:

My understanding is that you can't really enforce it as "I want every IAM user in this AWS account to have MFA configured". This AWS blog post explains how to restrict actions of your IAM users based on the presence of MFA.

I would say that, in general, you should care about the security of your resources and make sure you don't expose anything to an entity that does not present MFA. This can be done by enforcing MFA (similar to the blog post linked above). The optics is slightly different: you don't care if some IAM user has MFA, you care that anyone accessing some resource presents MFA.

You can effectively set the following condition everywhere you need:

"Condition" : { 
    "BoolIfExists" : { 
        "aws:MultiFactorAuthPresent" : "true"
    } 
}

More information on the global condition aws:MultiFactorAuthPresent in the official docs.

P.S. I believe that, in the same way as you're able to force IAM users to change their console password on the first authentication, it could be a nice feature to be able to enforce the presence of MFA. You could try submitting a feature request on some AWS forum.

  • Related