- Newest
- Most votes
- Most comments
Hello ,
This is Dinesh from AWS Premium support.
Please note that at the moment it is not possible to enable MFA on AWS side for SAML federated users. The current best practice is to handle it on the identity provider side. However, this would still not resolve your problem as AWS STS does not carry forward the MFA claim from your IdP to AWS. Thus, SAML authenticated users even with an MFA authentication on the IdP side will be considered as MFA unauthenticated users on AWS endpoint. This is applicable for AWS SSO users as well.
Having said that, our service team is aware of this issue and there is an outstanding feature request to set "additionalEventData.MFAUsed" even when MFA is used on IdP side. All of our new announcements and releases can be found on our What’s New page[+] https://aws.amazon.com/new/ and news blog[+] https://aws.amazon.com/blogs/aws/
Workaround: You can consider to modify the event pattern as the following so you don't get alarm for all the SAML federated user's (IdP Users) login.
{($.eventName = "ConsoleLogin") && ($.additionalEventData.MFAUsed != "Yes") && ($.additionalEventData.SamlProviderArn NOT EXISTS)}
Thank you
Relevant content
- asked a year ago
- asked a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 7 months ago
- AWS OFFICIALUpdated 2 years ago
Hi Dinesh, thanks for the fast respond. Then we'll wait and see if there's a solution to the issue soon