MFA Delegation to IAM Users

@_takahash thank you for sharing the related case, it was useful.

@Gary I was working with the policy you have provided but so far my observations have been

I agree with this point "You cant create an access key unless you have MFA setup". However, the user with an MFA setup cannot run any CLI commands unless they use aws sts get-session-token command. I was trying to avoid creating two separate users one for CLI and other for Console access, so only Console is MFA enforced while CLI is accessible directly with access keys but i might not have a choice.

Hi. May be no policy changes will be needed but you have to execute 'aws sts get-session-token' command with '--serial-number' option before accessing your resources. Check the link as follows.

How do I use an MFA token to authenticate access to my AWS resources through the AWS CLI?

I have seen this article already and apologies if my question was not clear.

Without MFA being enforced for user, if an access key exists user can directly use access keys from CLI without requiring any additional steps.

I am looking to get MFA enforced only for AWS Console access without blocking access to CLI or requiring any additional steps being performed by end user from CLI.

is there any available option?

I am looking to get MFA enforced only for AWS Console access without blocking access to CLI or requiring any additional steps being performed by end user from CLI.

Sorry for my misunderstanding.

I'm afraid but there is no way to enforce MFA only for AWS Console access with MFA enforce IAM policy.

References: Can I enforce MFA for console sign in but not for access key (CLI) sign in? - aws re:Post

All the information to do this can be found here https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_users-self-manage-mfa-and-creds.html

I myself enforce MFA for CLi also because if someone lost there keys then as they mostly they are stored in clear text on the local machine, then anyone can use them without any additoinal enforcement.

Here is the policy from the link provided. You cant create an access key unless you have MFA setup. It doesnt enforce MFA for CLI access. So if a user already has an access key without MFA it will not effect them. You would have to enforce MFA on cli too for that.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowViewAccountInfo",
            "Effect": "Allow",
            "Action": [
                "iam:GetAccountPasswordPolicy",
                "iam:ListVirtualMFADevices"
            ],
            "Resource": "*"
        },
        {
            "Sid": "AllowManageOwnPasswords",
            "Effect": "Allow",
            "Action": [
                "iam:ChangePassword",
                "iam:GetUser"
            ],
            "Resource": "arn:aws:iam::*:user/${aws:username}"
        },
        {
            "Sid": "AllowManageOwnAccessKeys",
            "Effect": "Allow",
            "Action": [
                "iam:CreateAccessKey",
                "iam:DeleteAccessKey",
                "iam:ListAccessKeys",
                "iam:UpdateAccessKey"
            ],
            "Resource": "arn:aws:iam::*:user/${aws:username}"
        },
        {
            "Sid": "AllowManageOwnSigningCertificates",
            "Effect": "Allow",
            "Action": [
                "iam:DeleteSigningCertificate",
                "iam:ListSigningCertificates",
                "iam:UpdateSigningCertificate",
                "iam:UploadSigningCertificate"
            ],
            "Resource": "arn:aws:iam::*:user/${aws:username}"
        },
        {
            "Sid": "AllowManageOwnSSHPublicKeys",
            "Effect": "Allow",
            "Action": [
                "iam:DeleteSSHPublicKey",
                "iam:GetSSHPublicKey",
                "iam:ListSSHPublicKeys",
                "iam:UpdateSSHPublicKey",
                "iam:UploadSSHPublicKey"
            ],
            "Resource": "arn:aws:iam::*:user/${aws:username}"
        },
        {
            "Sid": "AllowManageOwnGitCredentials",
            "Effect": "Allow",
            "Action": [
                "iam:CreateServiceSpecificCredential",
                "iam:DeleteServiceSpecificCredential",
                "iam:ListServiceSpecificCredentials",
                "iam:ResetServiceSpecificCredential",
                "iam:UpdateServiceSpecificCredential"
            ],
            "Resource": "arn:aws:iam::*:user/${aws:username}"
        },
        {
            "Sid": "AllowManageOwnVirtualMFADevice",
            "Effect": "Allow",
            "Action": [
                "iam:CreateVirtualMFADevice"
            ],
            "Resource": "arn:aws:iam::*:mfa/*"
        },
        {
            "Sid": "AllowManageOwnUserMFA",
            "Effect": "Allow",
            "Action": [
                "iam:DeactivateMFADevice",
                "iam:EnableMFADevice",
                "iam:ListMFADevices",
                "iam:ResyncMFADevice"
            ],
            "Resource": "arn:aws:iam::*:user/${aws:username}"
        },
        {
            "Sid": "DenyAllExceptListedIfNoMFA",
            "Effect": "Deny",
            "NotAction": [
                "iam:CreateVirtualMFADevice",
                "iam:EnableMFADevice",
                "iam:GetUser",
                "iam:ListMFADevices",
                "iam:ListVirtualMFADevices",
                "iam:ResyncMFADevice",
                "sts:GetSessionToken"
            ],
            "Resource": "*",
            "Condition": {
                "BoolIfExists": {
                    "aws:MultiFactorAuthPresent": "false",
                    "aws:ViaAWSService": "true"
                }
            }
        }
    ]
}