Help improve AWS Support Official channel in re:Post and share your experience - complete a quick three-question survey to earn a re:Post badge!
How do I enforce MFA authentication for IAM users that use the AWS Management Console and the AWS CLI?
I created a multi-factor authentication (MFA) condition policy to restrict access to AWS services for AWS Identity and Access Management (IAM) users. The policy works with the AWS Management Console, but not with the AWS Command Line Interface (AWS CLI).
Short description
The following example IAM policy requires IAM users to use MFA to access specific AWS services:
{ "Sid": "BlockMostAccessUnlessSignedInWithMFA", "Effect": "Deny", "NotAction": [ "iam:CreateVirtualMFADevice", "iam:DeleteVirtualMFADevice", "iam:ListVirtualMFADevices", "iam:EnableMFADevice", "iam:ResyncMFADevice", "iam:ListAccountAliases", "iam:ListUsers", "iam:ListSSHPublicKeys", "iam:ListAccessKeys", "iam:ListServiceSpecificCredentials", "iam:ListMFADevices", "iam:GetAccountSummary", "sts:GetSessionToken" ], "Resource": "*", "Condition": { "Bool": { "aws:MultiFactorAuthPresent": "false", "aws:ViaAWSService": "false" } } }
In the preceding policy, IAM users that use the AWS Management Console are prompted to enter MFA authentication credentials to access AWS services. However, IAM users that use the AWS CLI aren't prompted to enter MFA authentication credentials to access AWS services.
Resolution
Note: If you receive errors when you run AWS CLI commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.
Because the aws:MultiFactorAuthPresent key doesn't exist in long-term credentials requests, the key doesn't deny access to the requests. If the key in the policy isn't with the Boolean condition operator, then the values don't match.
IAM users that use the AWS Management Console generate temporary credentials and allow access only when they use MFA.
To enforce MFA authentication with the AWS CLI, add the IfExists condition operator to check if the MultiFactorAuthPresent key is in the request. The Boolean condition lets you restrict access with a key value that's set to true or false. If the MultiFactorAuthPresent key isn't in the request, then IfExists evaluates the condition element as true.
Example IAM policy:
{ "Sid": "BlockMostAccessUnlessSignedInWithMFA", "Effect": "Deny", "NotAction": [ "iam:CreateVirtualMFADevice", "iam:DeleteVirtualMFADevice", "iam:ListVirtualMFADevices", "iam:EnableMFADevice", "iam:ResyncMFADevice", "iam:ListAccountAliases", "iam:ListUsers", "iam:ListSSHPublicKeys", "iam:ListAccessKeys", "iam:ListServiceSpecificCredentials", "iam:ListMFADevices", "iam:GetAccountSummary", "sts:GetSessionToken" ], "Resource": "*", "Condition": { "BoolIfExists": { "aws:MultiFactorAuthPresent": "false", "aws:ViaAWSService": "false" } } }
Note: IAM users that use the AWS CLI with long-term credentials are denied access and must use MFA to authenticate. Make sure to use an MFA token to authenticate your CLI session.
Related information
How do I require users from other AWS accounts to use MFA to access my Amazon S3 buckets?
It is simple not works while working with SCP. Only if you attach it directly to a user, or a userGroup where the user part of this group.
Thank you for your comment. We'll review and update the Knowledge Center article as needed.
Relevant content
- asked 2 years ago
- asked 2 years ago
- asked 9 months ago
