By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

AWS MFA Enforce

0

Hey guys, we are looking to mandatorily enforce mfa for all users who can log into the console and are trying to figure out how to do it. Thanks in advance

Topics
Management & Governance
Tags
AWS Management Console
Language
English
rePost-User-7457398
asked 2 years ago487 views
2 Answers
0

Hi,

Have a read at these ones:

Let me know if is not clear enough. If it helps you, I d appreciate it if answer can be accepted so that community can benefit for clarity, thanks!

profile picture
EXPERT
Antonio_Lagrotteria
answered 2 years ago
profile pictureAWS
EXPERT
kentrad
reviewed 2 years ago
0

The solution would be to have a process that checks to see if a user has a registered device before the signing into the console. It is also possible at that same moment in time to prompt the user to first register an MFA device, or continue using a one-time-password: https://docs.aws.amazon.com/singlesignon/latest/userguide/how-to-configure-mfa-device-enforcement.html

The second step would be to enforce this on a continous basis to support new/future users that are created in the AWS Account. AWS Config rules can help with this. Specifically there is an AWS Managed rule set called, "mfa-enabled-for-iam-console-access", that you can apply to your account to have this requirment checked periodically (e.g. once every 24hrs, or everytime a new user is edited/modified/created(i.e. the api call)). Here's more info on this config rule: https://docs.aws.amazon.com/config/latest/developerguide/mfa-enabled-for-iam-console-access.html

Junior Shepherd
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content