What is the best architecture for checking MFA status for all IAM users and handling those without MFA in AWS?

0

I need to create a Lambda function that validates whether each IAM user in an AWS account has MFA enabled. If a user does not have MFA, I need to trigger another Lambda function to handle that user and pass the user's details as a parameter.

However, my current Lambda function, which iterates through all IAM users, consistently times out, and simply increasing the execution time isn't scalable.

What is the best approach to achieve this? Should I continue with Lambda, or would it be more effective to manage the iteration process using something like Node.js with the AWS SDK? What architecture would best solve this problem?

Thanks in advance.

3 Answers
2
profile picture
answered a month ago
profile picture
EXPERT
reviewed a month ago
profile pictureAWS
EXPERT
reviewed a month ago
1

What part of what your Lambda is doing is taking more than 15 minutes? Try breaking it down into smaller steps.

For example, Lambda #1 gets a list of all users and dumps it to an text object in an S3 bucket. That's all it does. Hopefully this takes less than 15 minutes.

The S3 event from that new object being created triggers Lambda #2 which iterates through all the users named in the new object, and checks each for MFA.

If Lambda #2 takes longer than 15 minutes then consider an intermediate step that splits the master list in to a number of smaller lists - determined by the first character of each user's name? - and then multiple invocations of Lambda #2 iterate through each of these smaller lists.

profile picture
EXPERT
Steve_M
answered a month ago
profile picture
EXPERT
reviewed a month ago
0

Hi,

If you are keen to permanently prevent it from happening, consider using SCP for your case. However, do note that SCP doesn't affect the management account. If you don't have a separate management account, maybe it's a good time to consider that as an option.

answered a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions