Can I enforce MFA for console sign in but not for access key (CLI) sign in?

0

I'd to require that my user's use MFA when signing in via the console. However, I'd like them to be able to use the same accounts for CLI access. However, if they don't use MFA then the CLI has very limited access.

Is it possible to write a policy that allows API operations when the user authenticated with an access key/secret key, but not when they signed in through the console?

Note that I want to do this w/o requiring every user to have two accounts (one for console, one for CLI work).

Thanks for any help!!!

m4dc4p
preguntada hace 5 años1330 visualizaciones
1 Respuesta
1

Hello,

There are two controls associated with MFA:

  1. Enabling MFA
  2. Enforcing MFA

Also, the working is different for Console and CLI access.

When MFA is enabled for a particular IAM user it is enforced in the Console only and not in CLI. If you wish you can enforce MFA in CLI for your IAM user by attaching the policy given in the document [1] on the user.

Thus to conclude, if you want to enforce MFA for console sign-in but not for CLI access, then just enable MFA for the IAM user and there is no need to apply any policy on the user. The MFA will be enforced automatically.

Let us know know in case you require further assistance.

References:
[1] Create a Policy to Enforce MFA Sign-In:

https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_users-self-manage-mfa-and-creds.html#tutorial_mfa_step1

AWS
respondido hace 5 años

No has iniciado sesión. Iniciar sesión para publicar una respuesta.

Una buena respuesta responde claramente a la pregunta, proporciona comentarios constructivos y fomenta el crecimiento profesional en la persona que hace la pregunta.

Pautas para responder preguntas