Can I enforce MFA for console sign in but not for access key (CLI) sign in?

0

I'd to require that my user's use MFA when signing in via the console. However, I'd like them to be able to use the same accounts for CLI access. However, if they don't use MFA then the CLI has very limited access.

Is it possible to write a policy that allows API operations when the user authenticated with an access key/secret key, but not when they signed in through the console?

Note that I want to do this w/o requiring every user to have two accounts (one for console, one for CLI work).

Thanks for any help!!!

m4dc4p
已提問 5 年前檢視次數 1349 次
1 個回答
1

Hello,

There are two controls associated with MFA:

  1. Enabling MFA
  2. Enforcing MFA

Also, the working is different for Console and CLI access.

When MFA is enabled for a particular IAM user it is enforced in the Console only and not in CLI. If you wish you can enforce MFA in CLI for your IAM user by attaching the policy given in the document [1] on the user.

Thus to conclude, if you want to enforce MFA for console sign-in but not for CLI access, then just enable MFA for the IAM user and there is no need to apply any policy on the user. The MFA will be enforced automatically.

Let us know know in case you require further assistance.

References:
[1] Create a Policy to Enforce MFA Sign-In:

https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_users-self-manage-mfa-and-creds.html#tutorial_mfa_step1

AWS
已回答 5 年前

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南