Difference between AWS Config rules

Question

We're in the process of using AWS Config and found two similar rules related to MFA:
- [mfa-enabled-for-iam-console-access](https://docs.aws.amazon.com/config/latest/developerguide/mfa-enabled-for-iam-console-access.html)
- [iam-user-mfa-enabled](https://docs.aws.amazon.com/config/latest/developerguide/iam-user-mfa-enabled.html)

We're wondering why the second rule (iam-user-mfa-enabled) exists in the first place.

Our understanding is that users without console access (meaning they don't have a password) don't need MFA because there's no way for them to actually login in the first place. If we have IAM users that only use access tokens (no password set) then the rule will be NON_COMPLIANT, but that's not entirely accurate since there's no way for them to actually use MFA.

Is there something we're missing here and so we should have both rules enabled? Can we ignore it and use only the first one?

AmerO · Accepted Answer

Since MFA is required for console logins. The mfa-enabled-for-iam-console-access rule checks if MFA is enabled for users with console access, which is straightforward.

The iam-user-mfa-enabled rule, on the other hand, might be more comprehensive and could be aimed at ensuring that all IAM users, regardless of their access type, have MFA enabled for API calls. Even though MFA isn't used for access token-based users in the console, it's still a security best practice to have MFA enabled for all IAM users as a precautionary measure for any potential changes or privilege escalations.

Difference between AWS Config rules

Relevant content