Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

Can we enable MFA under organization

0

Hi Team,

Is there any possible way to enable MFA for all the accounts under one single organization using SCP? Is there any possible way to enforce MFA for all member accounts under a control tower setup?

Lets consider multiple AWS account is linked with Organization and Control tower and we need to enforce MFA for all the accounts under the same. Awaiting your update.

Regards, Vijaya gokula vasan

  • InstrumentIT
    vor 2 Monaten

    I have not found a working solution yet. Received some SCP from AWS Support but those neither work properly.. Until now the only solution I could enforce MFA to attach users policy directly to user, or users to a group which have attached MFAEnforcement.

Themen
Sicherheit, Identität & KonformitätManagement & UnternehmensführungAWS Framework mit guter Struktur
Tags
AWS Identity and Access ManagementAWS KontrollturmAWS OrganisationenSicherheitAWS Kontoverwaltung
Sprache
English
Vijaygvasan
gefragt vor 9 Monaten710 Aufrufe
2 Antworten
2

Hello.
It is possible to configure SCP to disallow IAM users who do not have MFA set.
If the following SCP is set, IAM users will not be able to operate any resources other than those related to IAM without using MFA.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowViewAccountInfo",
            "Effect": "Allow",
            "Action": [
                "iam:GetAccountPasswordPolicy",
                "iam:GetAccountSummary",
                "iam:ListVirtualMFADevices"
            ],
            "Resource": "*"
        },
        {
            "Sid": "AllowManageOwnPasswords",
            "Effect": "Allow",
            "Action": [
                "iam:ChangePassword",
                "iam:GetUser",
                "iam:CreateLoginProfile",
                "iam:DeleteLoginProfile",
                "iam:GetLoginProfile",
                "iam:UpdateLoginProfile"
            ],
            "Resource": "*"
        },
        {
            "Sid": "AllowManageOwnAccessKeys",
            "Effect": "Allow",
            "Action": [
                "iam:CreateAccessKey",
                "iam:DeleteAccessKey",
                "iam:ListAccessKeys",
                "iam:UpdateAccessKey"
            ],
            "Resource": "*"
        },
        {
            "Sid": "AllowManageOwnSigningCertificates",
            "Effect": "Allow",
            "Action": [
                "iam:DeleteSigningCertificate",
                "iam:ListSigningCertificates",
                "iam:UpdateSigningCertificate",
                "iam:UploadSigningCertificate"
            ],
            "Resource": "*"
        },
        {
            "Sid": "AllowManageOwnSSHPublicKeys",
            "Effect": "Allow",
            "Action": [
                "iam:DeleteSSHPublicKey",
                "iam:GetSSHPublicKey",
                "iam:ListSSHPublicKeys",
                "iam:UpdateSSHPublicKey",
                "iam:UploadSSHPublicKey"
            ],
            "Resource": "*"
        },
        {
            "Sid": "AllowManageOwnGitCredentials",
            "Effect": "Allow",
            "Action": [
                "iam:CreateServiceSpecificCredential",
                "iam:DeleteServiceSpecificCredential",
                "iam:ListServiceSpecificCredentials",
                "iam:ResetServiceSpecificCredential",
                "iam:UpdateServiceSpecificCredential"
            ],
            "Resource": "*"
        },
        {
            "Sid": "AllowManageOwnVirtualMFADevice",
            "Effect": "Allow",
            "Action": [
                "iam:CreateVirtualMFADevice",
                "iam:DeleteVirtualMFADevice"
            ],
            "Resource": "*"
        },
        {
            "Sid": "AllowManageOwnUserMFA",
            "Effect": "Allow",
            "Action": [
                "iam:DeactivateMFADevice",
                "iam:EnableMFADevice",
                "iam:ListMFADevices",
                "iam:ResyncMFADevice"
            ],
            "Resource": "*"
        },
        {
            "Sid": "DenyAllExceptListedIfNoMFA",
            "Effect": "Deny",
            "NotAction": [
                "iam:CreateVirtualMFADevice",
                "iam:EnableMFADevice",
                "iam:ChangePassword",
                "iam:GetUser",
                "iam:CreateLoginProfile",
                "iam:DeleteLoginProfile",
                "iam:GetLoginProfile",
                "iam:UpdateLoginProfile",
                "iam:ListMFADevices",
                "iam:ListVirtualMFADevices",
                "iam:ResyncMFADevice",
                "iam:DeleteVirtualMFADevice",
                "sts:GetSessionToken"
            ],
            "Resource": "*",
            "Condition": {
                "BoolIfExists": {
                    "aws:MultiFactorAuthPresent": "false"
                },
                "StringLike": {
                    "aws:PrincipalArn": [
                        "arn:aws:iam::*:user/*"
                    ]
                }
            }
        }
    ]
}

For SSO users, the following procedure can be used to enforce this.
https://docs.aws.amazon.com/singlesignon/latest/userguide/how-to-configure-mfa-device-enforcement.html

profile picture
EXPERTE
Riku_Kobayashi
beantwortet vor 9 Monaten
profile picture
EXPERTE
Gary Mclean
überprüft vor 9 Monaten
  • InstrumentIT
    vor 2 Monaten

    This SCP does not works at all! I have just deployed it, tested with a localuser created withoutMFA attached AdminPolicy. I also tried at least 3 different versions to EnforceMFA for our organization: including the following: { "Version": "2012-10-17", "Statement": [ { "Sid": "AllowManageOwnUserMFA", "Effect": "Deny", "Action": [ "iam:ListMFADevices", "iam:DeactivateMFADevice", "iam:DeleteVirtualMFADevice" ], "Resource": "", "Condition": { "StringLike": { "aws:PrincipalArn": "arn:aws:iam:::user/" } } }, { "Sid": "DenyAllExceptListedIfNoMFA", "Effect": "Deny", "NotAction": [ "iam:CreateVirtualMFADevice", "iam:EnableMFADevice", "iam:GetUser", "iam:ListMFADevices", "iam:ListVirtualMFADevices", "iam:ResyncMFADevice", "sts:GetSessionToken" ], "Resource": "", "Condition": { "StringLike": { "aws:PrincipalArn": "arn:aws:iam:::user/" }, "BoolIfExists": { "aws:MultiFactorAuthPresent": "false" } } } ] }

0

If you use SSO in IAM Identity Center, under authentication you can configure MFA requirements.

rePost-User-4136916
beantwortet vor 9 Monaten
profile picture
EXPERTE
Gary Mclean
überprüft vor 9 Monaten
  • InstrumentIT
    vor 2 Monaten

    Only in internal SSO IDP for AWS. External IDP's simple not supported with MFA. ( example: Azure, or anything which is not AWS Directory Services, AWS Managed Directory for Microsoft Active Directory, or Cognito IDP. ).

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt