Can I enforce MFA for console sign in but not for access key (CLI) sign in?

0

I'd to require that my user's use MFA when signing in via the console. However, I'd like them to be able to use the same accounts for CLI access. However, if they don't use MFA then the CLI has very limited access.

Is it possible to write a policy that allows API operations when the user authenticated with an access key/secret key, but not when they signed in through the console?

Note that I want to do this w/o requiring every user to have two accounts (one for console, one for CLI work).

Thanks for any help!!!

1回答
1

Hello,

There are two controls associated with MFA:

  1. Enabling MFA
  2. Enforcing MFA

Also, the working is different for Console and CLI access.

When MFA is enabled for a particular IAM user it is enforced in the Console only and not in CLI. If you wish you can enforce MFA in CLI for your IAM user by attaching the policy given in the document [1] on the user.

Thus to conclude, if you want to enforce MFA for console sign-in but not for CLI access, then just enable MFA for the IAM user and there is no need to apply any policy on the user. The MFA will be enforced automatically.

Let us know know in case you require further assistance.

References:
[1] Create a Policy to Enforce MFA Sign-In:

https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_users-self-manage-mfa-and-creds.html#tutorial_mfa_step1

AWS
回答済み 5年前

ログインしていません。 ログイン 回答を投稿する。

優れた回答とは、質問に明確に答え、建設的なフィードバックを提供し、質問者の専門分野におけるスキルの向上を促すものです。

質問に答えるためのガイドライン

関連するコンテンツ