Enable MFA for IAM users

0

Hi AWS, I am planning to write an SCP for the following:

  1. MFA should be enabled for all IAM users.
  2. Hardware MFA should be enabled for the root user.
  3. MFA should be enabled for the root user

My doubt is that is it even possible to achieve the requirements I mentioned above via AWS SCP. Please identify.

3 Answers
1

Hi, your requirements is a bit unclear. When using the SCP, it is more access management at the OU or account level. So it will be who is allowed to do what, on what Resource. You can use Config to audit and detect if your requirements are currently met or deviated. However, for MFA on root user, Trusted Advisor provides these checks as part of security best practices so you can generate that report at free cost.

profile pictureAWS
EXPERT
AmerO
answered a month ago
1

To best of my knowledge AWS SCP can't enforce MFA, however you can workaround this:

  1. Create an IAM policy that requires MFA to be enabled for users/roles to perform actions in AWS
  2. Attach this IAM policy to the users/roles in your organization.
  3. Create an SCP to ensure that the IAM policy is enforced across all accounts in your organization.

Comment here if you have additional questions, happy to help.

Abhishek

profile pictureAWS
EXPERT
answered a month ago
profile picture
EXPERT
reviewed a month ago
0

possible to achieve the requirements you mentioned using AWS Service Control Policies (SCPs). Here's how:

  1. MFA for all IAM users: Create an SCP with the following policy:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "RequireMFAForIAMUsers",
      "Effect": "Deny",
      "Action": "iam:*",
      "Resource": "arn:aws:iam::*:user/${aws:username}",
      "Condition": {
        "Bool": {
          "aws:MultiFactorAuthPresent": "false"
        }
      }
    }
  ]
}

This SCP denies all IAM actions if the user doesn't have MFA enabled.

  1. Hardware MFA for the root user: Create an SCP with the following policy:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "RequireHardwareMFAForRoot",
      "Effect": "Deny",
      "Action": "iam:*",
      "Resource": "arn:aws:iam::*:root",
      "Condition": {
        "StringNotEquals": {
          "aws:MultiFactorAuthType": "hardware"
        }
      }
    }
  ]
}

This SCP denies all IAM actions for the root user if they don't have hardware MFA enabled.

  1. MFA for the root user: This requirement is already covered by the first SCP, which requires MFA for all IAM users, including the root user.

To resolve any issues, ensure:

  • The SCPs are attached to the correct AWS Organizations or accounts.
  • The policies are correctly formatted and free of errors.
  • The SCPs are evaluated in the correct order (if multiple SCPs are attached).
profile picture
EXPERT
Sandeep
answered a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions