By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

How to enforce enable MFA for other users

1

Hi how do i enable/enforce MFA for other users. In Users > Security Credentials Tab> Multi-factor authentication (MFA), I can set it here but i have to use my device to scan and enable the MFA. I don't think this is the way. This works fine if the user i am creating for is right beside me to scan the QR codes but to send the credentials to the user is not possible.

How to enforce so the users when logging in to the AWS console they have to enable and use MFA.

Topics
Security, Identity, & Compliance
Tags
AWS Identity and Access ManagementAWS IAM Identity Center
Language
English
rePost-User-9446870
asked 2 years ago14K views
3 Answers
2

You are correct, the user needs to see the QR code to setup the MFA device. There is no easy way apart from applying a policy to force users to register a MFA device before being able to carry out any other tasks

Apply this policy to all users/group and add users to the group whom you require to enforce MFA

If you apply this policy to the users, they will not be able to perform any tasks unless they have added MFA.

Once the user has added their MFA, ensure the user logs out and in again.

NOTE, this is for IAM users only. SSO has its own setting to enforce MFA

{
    "Statement": [
        {
            "Condition": {
                "BoolIfExists": {
                    "aws:MultiFactorAuthPresent": "false",
                    "aws:ViaAWSService": "false"
                }
            },
            "Effect": "Deny",
            "NotAction": [
                "iam:CreateVirtualMFADevice",
                "iam:DeleteVirtualMFADevice",
                "iam:ListVirtualMFADevices",
                "iam:EnableMFADevice",
                "iam:ResyncMFADevice",
                "iam:ListAccountAliases",
                "iam:ListUsers",
                "iam:ListSSHPublicKeys",
                "iam:ListAccessKeys",
                "iam:ListServiceSpecificCredentials",
                "iam:ListMFADevices",
                "iam:GetAccountSummary",
                "sts:GetSessionToken",
                "iam:GetAccountPasswordPolicy",
                "iam:ChangePassword"
            ],
            "Resource": "*",
            "Sid": "BlockMostAccessUnlessSignedInWithMFA"
        },
        {
            "Action": [
                "iam:CreateVirtualMFADevice"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:iam::*:mfa/*",
            "Sid": "AllowManageOwnVirtualMFADevice"
        },
        {
            "Action": [
                "iam:DeactivateMFADevice",
                "iam:EnableMFADevice",
                "iam:ListMFADevices",
                "iam:ResyncMFADevice"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:iam::*:user/${aws:username}",
            "Sid": "EnforceIAMMFA"
        }
    ],
    "Version": "2012-10-17"
}
profile picture
EXPERT
Gary Mclean
answered 2 years ago
  • rePost-User-9446870
    2 years ago

    Hi Gary, I'm not really good at creating using I AM Policy, the policy you have shared above gives the user access to all resources once he logs in using the MFA ? I need the user to only have access to these:

    AmazonEC2FullAccess AWSStorageGatewayFullAccess IAMUserChangePassword

  • Gary Mclean EXPERT
    2 years ago

    The policy is tied to only allowing the user to add their own mfa device etc. you would still need to grant the appropriate access to ec2 also etc. this policy prevents the user even accessing ec2’s Unimed’s logged in with mfa

1

To enforce Multi-Factor Authentication (MFA) for other users in AWS, you can follow these steps:

  1. Sign in to the AWS Management Console using your own credentials.

  2. Go to the IAM (Identity and Access Management) service.

  3. In the left navigation pane, click on Users.

  4. Select the user for whom you want to enforce MFA.

  5. In the Security credentials tab, locate the Assigned MFA device section.

  6. Click on the Manage link next to the Assigned MFA device.

  7. In the Manage MFA Device wizard, select the Virtual MFA device option.

  8. Provide instructions to the user on how to set up their MFA device (such as a virtual MFA app on their smartphone). They will need to download an authenticator app like Google Authenticator or Authy.

  9. Once the user has set up their MFA device, they will need to scan the QR code using their MFA app or manually enter the secret key.

  10. After the user has successfully set up their MFA device, click on Assign MFA.

By following these steps, you have now enforced MFA for the user. They will be required to use MFA when logging in to the AWS console. Repeat these steps for each user you want to enforce MFA for.

profile picture
Amol_M
answered 2 years ago
  • rePost-User-9446870
    2 years ago

    Nope. This only works if the user you are creating for is right beside you to perform the above.

0

A quick question - what about IAM 'users' that are not actually humans, but just service control entities (I know it should be roles and resource-based permissions, but we are talking legacy solutions here). is there a policy I can add to the above to make sure that that affects only users trying to log in to the console? or is aws:ViaAWSService sufficient for this? I am weary of legacy 'iam accounts' whose sole purpose is to provide a key for some script somewhere, accessing s3 etc...

DMK
answered 2 years ago
  • Gary Mclean EXPERT
    2 years ago

    Only apply the policy to humans. Either every group You create for humans you attach the policy or have an all users group with the policy attached. Only add humans to the group. If you add machines then it will break their access.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content