How do I require users from other AWS accounts to use MFA to access my Amazon S3 buckets?
3 minute read
I want to require other users to use a multi-factor authentication (MFA) device to get access to my Amazon Simple Storage Service (Amazon S3) buckets.
Add MFA-related conditions to your bucket policy that require users from other AWS accounts to authenticate using an MFA device.
Before you begin, the users from other AWS accounts must meet the following requirements:
They must have permissions to access Amazon S3. For example, users meet this requirement if they have the AmazonS3FullAccess AWS Managed Policy included in their AWS Identity and Access Management (IAM) policies.
They must have an attached IAM policy that allows them to call GetSessionToken.
After you add a similar bucket policy to your bucket, users can run the get-session-token AWS Command Line Interface (AWS CLI) command. The get-session-token command gets the credentials required to access the resources in your bucket. This command requires the user to provide the following:
The temporary code generated by the MFA device
The serial number of the device for a hardware MFA device, or the Amazon Resource Name (ARN) for a software MFA device