Can I enforce MFA for console sign in but not for access key (CLI) sign in?

0

I'd to require that my user's use MFA when signing in via the console. However, I'd like them to be able to use the same accounts for CLI access. However, if they don't use MFA then the CLI has very limited access.

Is it possible to write a policy that allows API operations when the user authenticated with an access key/secret key, but not when they signed in through the console?

Note that I want to do this w/o requiring every user to have two accounts (one for console, one for CLI work).

Thanks for any help!!!

m4dc4p
질문됨 5년 전1343회 조회
1개 답변
1

Hello,

There are two controls associated with MFA:

  1. Enabling MFA
  2. Enforcing MFA

Also, the working is different for Console and CLI access.

When MFA is enabled for a particular IAM user it is enforced in the Console only and not in CLI. If you wish you can enforce MFA in CLI for your IAM user by attaching the policy given in the document [1] on the user.

Thus to conclude, if you want to enforce MFA for console sign-in but not for CLI access, then just enable MFA for the IAM user and there is no need to apply any policy on the user. The MFA will be enforced automatically.

Let us know know in case you require further assistance.

References:
[1] Create a Policy to Enforce MFA Sign-In:

https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_users-self-manage-mfa-and-creds.html#tutorial_mfa_step1

AWS
답변함 5년 전

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠