By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Can we enable MFA under organization

0

Hi Team,

Is there any possible way to enable MFA for all the accounts under one single organization using SCP? Is there any possible way to enforce MFA for all member accounts under a control tower setup?

Lets consider multiple AWS account is linked with Organization and Control tower and we need to enforce MFA for all the accounts under the same. Awaiting your update.

Regards, Vijaya gokula vasan

  • InstrumentIT
    2 months ago

    I have not found a working solution yet. Received some SCP from AWS Support but those neither work properly.. Until now the only solution I could enforce MFA to attach users policy directly to user, or users to a group which have attached MFAEnforcement.

Topics
Security, Identity, & ComplianceManagement & GovernanceAWS Well-Architected Framework
Tags
AWS Identity and Access ManagementAWS Control TowerAWS OrganizationsSecurityAWS Account Management
Language
English
Vijaygvasan
asked 9 months ago658 views
2 Answers
2

Hello.
It is possible to configure SCP to disallow IAM users who do not have MFA set.
If the following SCP is set, IAM users will not be able to operate any resources other than those related to IAM without using MFA.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowViewAccountInfo",
            "Effect": "Allow",
            "Action": [
                "iam:GetAccountPasswordPolicy",
                "iam:GetAccountSummary",
                "iam:ListVirtualMFADevices"
            ],
            "Resource": "*"
        },
        {
            "Sid": "AllowManageOwnPasswords",
            "Effect": "Allow",
            "Action": [
                "iam:ChangePassword",
                "iam:GetUser",
                "iam:CreateLoginProfile",
                "iam:DeleteLoginProfile",
                "iam:GetLoginProfile",
                "iam:UpdateLoginProfile"
            ],
            "Resource": "*"
        },
        {
            "Sid": "AllowManageOwnAccessKeys",
            "Effect": "Allow",
            "Action": [
                "iam:CreateAccessKey",
                "iam:DeleteAccessKey",
                "iam:ListAccessKeys",
                "iam:UpdateAccessKey"
            ],
            "Resource": "*"
        },
        {
            "Sid": "AllowManageOwnSigningCertificates",
            "Effect": "Allow",
            "Action": [
                "iam:DeleteSigningCertificate",
                "iam:ListSigningCertificates",
                "iam:UpdateSigningCertificate",
                "iam:UploadSigningCertificate"
            ],
            "Resource": "*"
        },
        {
            "Sid": "AllowManageOwnSSHPublicKeys",
            "Effect": "Allow",
            "Action": [
                "iam:DeleteSSHPublicKey",
                "iam:GetSSHPublicKey",
                "iam:ListSSHPublicKeys",
                "iam:UpdateSSHPublicKey",
                "iam:UploadSSHPublicKey"
            ],
            "Resource": "*"
        },
        {
            "Sid": "AllowManageOwnGitCredentials",
            "Effect": "Allow",
            "Action": [
                "iam:CreateServiceSpecificCredential",
                "iam:DeleteServiceSpecificCredential",
                "iam:ListServiceSpecificCredentials",
                "iam:ResetServiceSpecificCredential",
                "iam:UpdateServiceSpecificCredential"
            ],
            "Resource": "*"
        },
        {
            "Sid": "AllowManageOwnVirtualMFADevice",
            "Effect": "Allow",
            "Action": [
                "iam:CreateVirtualMFADevice",
                "iam:DeleteVirtualMFADevice"
            ],
            "Resource": "*"
        },
        {
            "Sid": "AllowManageOwnUserMFA",
            "Effect": "Allow",
            "Action": [
                "iam:DeactivateMFADevice",
                "iam:EnableMFADevice",
                "iam:ListMFADevices",
                "iam:ResyncMFADevice"
            ],
            "Resource": "*"
        },
        {
            "Sid": "DenyAllExceptListedIfNoMFA",
            "Effect": "Deny",
            "NotAction": [
                "iam:CreateVirtualMFADevice",
                "iam:EnableMFADevice",
                "iam:ChangePassword",
                "iam:GetUser",
                "iam:CreateLoginProfile",
                "iam:DeleteLoginProfile",
                "iam:GetLoginProfile",
                "iam:UpdateLoginProfile",
                "iam:ListMFADevices",
                "iam:ListVirtualMFADevices",
                "iam:ResyncMFADevice",
                "iam:DeleteVirtualMFADevice",
                "sts:GetSessionToken"
            ],
            "Resource": "*",
            "Condition": {
                "BoolIfExists": {
                    "aws:MultiFactorAuthPresent": "false"
                },
                "StringLike": {
                    "aws:PrincipalArn": [
                        "arn:aws:iam::*:user/*"
                    ]
                }
            }
        }
    ]
}

For SSO users, the following procedure can be used to enforce this.
https://docs.aws.amazon.com/singlesignon/latest/userguide/how-to-configure-mfa-device-enforcement.html

profile picture
EXPERT
Riku_Kobayashi
answered 9 months ago
profile picture
EXPERT
Gary Mclean
reviewed 9 months ago
  • InstrumentIT
    2 months ago

    This SCP does not works at all! I have just deployed it, tested with a localuser created withoutMFA attached AdminPolicy. I also tried at least 3 different versions to EnforceMFA for our organization: including the following: { "Version": "2012-10-17", "Statement": [ { "Sid": "AllowManageOwnUserMFA", "Effect": "Deny", "Action": [ "iam:ListMFADevices", "iam:DeactivateMFADevice", "iam:DeleteVirtualMFADevice" ], "Resource": "", "Condition": { "StringLike": { "aws:PrincipalArn": "arn:aws:iam:::user/" } } }, { "Sid": "DenyAllExceptListedIfNoMFA", "Effect": "Deny", "NotAction": [ "iam:CreateVirtualMFADevice", "iam:EnableMFADevice", "iam:GetUser", "iam:ListMFADevices", "iam:ListVirtualMFADevices", "iam:ResyncMFADevice", "sts:GetSessionToken" ], "Resource": "", "Condition": { "StringLike": { "aws:PrincipalArn": "arn:aws:iam:::user/" }, "BoolIfExists": { "aws:MultiFactorAuthPresent": "false" } } } ] }

0

If you use SSO in IAM Identity Center, under authentication you can configure MFA requirements.

rePost-User-4136916
answered 9 months ago
profile picture
EXPERT
Gary Mclean
reviewed 9 months ago
  • InstrumentIT
    2 months ago

    Only in internal SSO IDP for AWS. External IDP's simple not supported with MFA. ( example: Azure, or anything which is not AWS Directory Services, AWS Managed Directory for Microsoft Active Directory, or Cognito IDP. ).

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content