AWS MFA Enforce

0

Hey guys, we are looking to mandatorily enforce mfa for all users who can log into the console and are trying to figure out how to do it. Thanks in advance

asked a year ago274 views
2 Answers
0

Hi,

Have a read at these ones:

Let me know if is not clear enough. If it helps you, I d appreciate it if answer can be accepted so that community can benefit for clarity, thanks!

profile picture
EXPERT
answered a year ago
profile pictureAWS
EXPERT
kentrad
reviewed a year ago
0

The solution would be to have a process that checks to see if a user has a registered device before the signing into the console. It is also possible at that same moment in time to prompt the user to first register an MFA device, or continue using a one-time-password: https://docs.aws.amazon.com/singlesignon/latest/userguide/how-to-configure-mfa-device-enforcement.html

The second step would be to enforce this on a continous basis to support new/future users that are created in the AWS Account. AWS Config rules can help with this. Specifically there is an AWS Managed rule set called, "mfa-enabled-for-iam-console-access", that you can apply to your account to have this requirment checked periodically (e.g. once every 24hrs, or everytime a new user is edited/modified/created(i.e. the api call)). Here's more info on this config rule: https://docs.aws.amazon.com/config/latest/developerguide/mfa-enabled-for-iam-console-access.html

answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions