- 最新
- 投票最多
- 评论最多
You can force IAM users have to enable MFA by using the following policy (e.g. named as "AllowOnlyMFA"):
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "BlockMostAccessUnlessSignedInWithMFA",
"Effect": "Deny",
"NotAction": [
"iam:CreateVirtualMFADevice",
"iam:DeleteVirtualMFADevice",
"iam:ListVirtualMFADevices",
"iam:EnableMFADevice",
"iam:ResyncMFADevice",
"iam:ListAccountAliases",
"iam:ListUsers",
"iam:ListSSHPublicKeys",
"iam:ListAccessKeys",
"iam:ListServiceSpecificCredentials",
"iam:ListMFADevices",
"iam:GetAccountSummary",
"sts:GetSessionToken"
],
"Resource": "*",
"Condition": {
"Bool": {
"aws:MultiFactorAuthPresent": "false",
"aws:ViaAWSService": "false"
}
}
}
]
}
Then, you can attach this policy to a Group. After that, all the users (including existing or new) will be bound to this policy. You can also explicitly attach this policy to an existing user or specify it when creating a user.
Note that the user should have other normal policies attached as usual. For example, an IAM admin user will have "AdministratorAccess" attached plus this one.
Then, this new user logs in without MFA. He will not be able to do anything, e.g. shown with a lot of API errors when trying to access EC2 console.
After that, the user can choose to enable MFA himself. After that, the user logs in again with MFA this time, and then the user will be able to perform all the admin functionalities.
Reference: https://aws.amazon.com/premiumsupport/knowledge-center/mfa-iam-user-aws-cli/
