alarm "console-access-without-mfa" due to external identity provider

Question

Hello everyone,
We used Okta as an identity provider and also do MFA via Okta to access AWS. AWS now doesn't notice that we are doing mfa and we get the alarm "console-access-without-mfa" in cloudwatch. Does anyone have a similar problem or can tell us how we can teach AWS that we do MFA via Okta and this alarm disappears

Accepted Answer

Hello ,

This is Dinesh from AWS Premium support.

Please note that at the moment it is not possible to enable MFA on AWS side for SAML federated users. The current best practice is to handle it on the identity provider side. However, this would still not resolve your problem as AWS STS does not carry forward the MFA claim from your IdP to AWS. Thus, SAML authenticated users even with an MFA authentication on the IdP side will be considered as MFA unauthenticated users on AWS endpoint. This is applicable for AWS SSO users as well.

Having said that, our service team is aware of this issue and there is an outstanding feature request to set "additionalEventData.MFAUsed" even when MFA is used on IdP side. All of our new announcements and releases can be found on our What’s New page[+] https://aws.amazon.com/new/ and news blog[+] https://aws.amazon.com/blogs/aws/

Workaround:
You can consider to modify the event pattern as the following so you don't get alarm for all the SAML federated user's (IdP Users) login.
--------------
{($.eventName = "ConsoleLogin") && ($.additionalEventData.MFAUsed != "Yes") && ($.additionalEventData.SamlProviderArn NOT EXISTS)}
--------------

Thank you

alarm "console-access-without-mfa" due to external identity provider

Workaround: You can consider to modify the event pattern as the following so you don't get alarm for all the SAML federated user's (IdP Users) login.

{($.eventName = "ConsoleLogin") && ($.additionalEventData.MFAUsed != "Yes") && ($.additionalEventData.SamlProviderArn NOT EXISTS)}

Relevant content