- Newest
- Most votes
- Most comments
Hi, your requirements is a bit unclear. When using the SCP, it is more access management at the OU or account level. So it will be who is allowed to do what, on what Resource. You can use Config to audit and detect if your requirements are currently met or deviated. However, for MFA on root user, Trusted Advisor provides these checks as part of security best practices so you can generate that report at free cost.
To best of my knowledge AWS SCP can't enforce MFA, however you can workaround this:
- Create an IAM policy that requires MFA to be enabled for users/roles to perform actions in AWS
- Attach this IAM policy to the users/roles in your organization.
- Create an SCP to ensure that the IAM policy is enforced across all accounts in your organization.
Comment here if you have additional questions, happy to help.
Abhishek
possible to achieve the requirements you mentioned using AWS Service Control Policies (SCPs). Here's how:
- MFA for all IAM users: Create an SCP with the following policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "RequireMFAForIAMUsers",
"Effect": "Deny",
"Action": "iam:*",
"Resource": "arn:aws:iam::*:user/${aws:username}",
"Condition": {
"Bool": {
"aws:MultiFactorAuthPresent": "false"
}
}
}
]
}
This SCP denies all IAM actions if the user doesn't have MFA enabled.
- Hardware MFA for the root user: Create an SCP with the following policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "RequireHardwareMFAForRoot",
"Effect": "Deny",
"Action": "iam:*",
"Resource": "arn:aws:iam::*:root",
"Condition": {
"StringNotEquals": {
"aws:MultiFactorAuthType": "hardware"
}
}
}
]
}
This SCP denies all IAM actions for the root user if they don't have hardware MFA enabled.
- MFA for the root user: This requirement is already covered by the first SCP, which requires MFA for all IAM users, including the root user.
To resolve any issues, ensure:
- The SCPs are attached to the correct AWS Organizations or accounts.
- The policies are correctly formatted and free of errors.
- The SCPs are evaluated in the correct order (if multiple SCPs are attached).
Relevant content
- asked a year ago
- asked a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 3 years ago