AWS MFA Enforce

Hi,

Have a read at these ones:

• https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html
• https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_users-self-manage-mfa-and-creds.html#tutorial_mfa_step1

Let me know if is not clear enough. If it helps you, I d appreciate it if answer can be accepted so that community can benefit for clarity, thanks!

The solution would be to have a process that checks to see if a user has a registered device before the signing into the console. It is also possible at that same moment in time to prompt the user to first register an MFA device, or continue using a one-time-password: https://docs.aws.amazon.com/singlesignon/latest/userguide/how-to-configure-mfa-device-enforcement.html

The second step would be to enforce this on a continous basis to support new/future users that are created in the AWS Account. AWS Config rules can help with this. Specifically there is an AWS Managed rule set called, "mfa-enabled-for-iam-console-access", that you can apply to your account to have this requirment checked periodically (e.g. once every 24hrs, or everytime a new user is edited/modified/created(i.e. the api call)). Here's more info on this config rule: https://docs.aws.amazon.com/config/latest/developerguide/mfa-enabled-for-iam-console-access.html