By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Can mfa-delete be enabled with external IdP users?

0

If this is true, how do I obtain the device serial? You are able to add mfa devices to identity center accounts in the sso portal, although I am unsure what these are used for. I neither see this in the identity center dashboard or see a cloudtrail entry for the device registration.

Topics
StorageSecurity, Identity, & Compliance
Tags
Amazon Simple Storage ServiceAWS Identity and Access ManagementAWS IAM Identity Center
Language
English
DT-AWSForums
asked a year ago434 views
1 Answer
-1

Hi there! Good question, and the simple answer is yes, you can enable mfa-delete with external IdP users, but you need to configure some additional steps. I've tried to break this down into some steps you can test/implement.

  1. First, you need to connect your external IdP to AWS IAM Identity Center (successor to AWS Single Sign-On) using SAML 2.0 protocol1. This will allow your users to sign in to the AWS access portal with their existing credentials from the external IdP.

  2. Second, you need to provision your users and groups from the external IdP into IAM Identity Center before you can assign them permissions to AWS accounts or applications. You can do this manually or automatically using SCIM.

  3. Third, you need to enable mfa-delete on your S3 buckets using the AWS CLI or the API. You also need to associate your buckets with an AWS service that supports MFA delete, such as Elastic Load Balancing or CloudFront.

  4. Fourth, you need to obtain the device serial number and the authentication code from your external IdP when you perform any operation that requires MFA delete, such as deleting a version or changing the versioning state of a bucket. You can use the AWS CLI or the API to pass these parameters along with your security credentials.

Let me know if you have any issues with this, or if it helps you then please accept my answer after you've tried it out - it would be much appreciated! Good luck :)

AWS
rePost-User-1144959
answered a year ago
  • DT-AWSForums
    a year ago

    Thank you for the response. I am at step 3: in order to enable mfa-delete, mfa is required for the request. The CLI reference states the format is "<SERIAL> <MFA Token>". For an IAM user, this would presumably be the arn, but I am unsure what the format is for a device registered in the SSO portal as I see no references to it in the mangement portal, or via CLI. The docs refer to a MFA devices tab in the Identity Center portal, but I do not see that.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content