AWS Config Custom Rule Not Triggering on IAM MFA Changes

0

Hi, everyone!

I'm creating a custom Lambda AWS Config rule to detect when a user does not have MFA activated. I've set the rule trigger type to fire on configuration changes within the scope of the "AWS IAM User" resource.

However, adding or deleting an MFA device for an IAM User does not trigger the rule, and I can't figure out why.

Other changes, like modifying user permissions, do trigger the rule, but MFA device changes don't seem to work.

What's the best way to handle this situation? I've also tried using periodic rules, but they don't allow for the "IAM User" scope, which defeats the purpose.

If I need to use periodic rules, what is the best way to implement them? What architecture and services should I use? Using a single Lambda function to process all users doesn't seem scalable.

Thanks in advance!

2 Answers
1

I think MFA devices aren't included in the data AWS Config captures for AWS::IAM::User, so there's also no change to the data when an MFA device is attached to or detached from a user. You can confirm that from the raw JSON resource data of a user with an MFA device registered: there's no trace of it in the captured resource data.

EXPERT
Leo K
answered 2 months ago
profile picture
EXPERT
reviewed 2 months ago
1

Hi Bruno, AWS Config provides a managed rule for iam-user-mfa-enabled. Is there a limitation with this managed rule that doesn't meet your use case?

If you need to create your own implementation, generating and parsing the IAM credential report with a AWS Lambda function should be feasible.

AWS
answered 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions