- Newest
- Most votes
- Most comments
Hello,
Use AWS Config to monitor IAM user MFA status, trigger Lambda function for non-compliant users.
https://docs.aws.amazon.com/config/latest/developerguide/iam-user-mfa-enabled.html
- Example AWS Lambda Functions for AWS Config Rules: https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config_develop-rules_examples.html
==[OR]===
What part of what your Lambda is doing is taking more than 15 minutes? Try breaking it down into smaller steps.
For example, Lambda #1 gets a list of all users and dumps it to an text object in an S3 bucket. That's all it does. Hopefully this takes less than 15 minutes.
The S3 event from that new object being created triggers Lambda #2 which iterates through all the users named in the new object, and checks each for MFA.
If Lambda #2 takes longer than 15 minutes then consider an intermediate step that splits the master list in to a number of smaller lists - determined by the first character of each user's name? - and then multiple invocations of Lambda #2 iterate through each of these smaller lists.
Hi,
If you are keen to permanently prevent it from happening, consider using SCP for your case. However, do note that SCP doesn't affect the management account. If you don't have a separate management account, maybe it's a good time to consider that as an option.
Relevant content
- asked a month ago
- asked a year ago
- Accepted Answerasked a year ago
- asked 3 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago