Can I enforce MFA for console sign in but not for access key (CLI) sign in?

Question

I'd to require that my user's use MFA when signing in via the console. However, I'd like them to be able to use the same accounts for CLI access. However, if they don't use MFA then the CLI has very limited access.  
  
Is it possible to write a policy that allows API operations when the user authenticated with an access key/secret key, but not when they signed in through the console?  
  
Note that I want to do this w/o requiring every user to have two accounts (one for console, one for CLI work).  
  
Thanks for any help!!!

Answer

Hello,  
  
There are two controls associated with MFA:  
1. Enabling MFA  
2. Enforcing MFA  
  
Also, the working is different for Console and CLI access.  
  
When MFA is enabled for a particular IAM user it is enforced in the Console only and not in CLI. If you wish you can enforce MFA in CLI for your IAM user by attaching the policy given in the document \[1] on the user.   
  
Thus to conclude, if you want to enforce MFA for console sign-in but not for CLI access, then just enable MFA for the IAM user and there is no need to apply any policy on the user. The MFA will be enforced automatically.  
  
Let us know know in case you require further assistance.  
  
References:  
\[1] Create a Policy to Enforce MFA Sign-In:  
>> https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_users-self-manage-mfa-and-creds.html#tutorial_mfa_step1

Can I enforce MFA for console sign in but not for access key (CLI) sign in?

Relevant content