31

Is it possible to require Multi-factor Authentication (MFA) be enabled for specific/all IAM accounts in Amazon Web Services?

There are options for password requirements and it's clear how one can choose to add it to one's account, but it's not clear if there is an option to force users to have MFA.

Joe
  • 823
  • 1
  • 7
  • 20
  • 2
    IAM policy that requires MFA for most action: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_iam_mfa-selfmanage.html – Simon Woodside Feb 26 '19 at 05:25

6 Answers6

12

After a bit of looking around, it appears that the answer is "kind of". In IAM, an administrator can configure a MFA for another IAM user. Although this may be a bit tricky if you are setting up a virtual MFA, it's possible. Then, if the user has not been granted permissions to update/remove their MFA, it is effectively required.

While I have not yet determined the complete list of actions that should be denied (or simply not granted), this post seems to have the information, and I will update this answer once I have tested it.

[Update]

I was able to setup users as power-users (thereby not granting them access to an IAM functions, although I'm sure you could get more granular), and implement their MFA with them. Using this methodology, they will be unable to disable it.

Joe
  • 823
  • 1
  • 7
  • 20
12

The answer is yes, there is. By using a condition. For instance, for admin accounts:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "*",
      "Resource": "*", 
      "Condition":
      {
          "Null":{"aws:MultiFactorAuthAge":"false"}
      }
    }
  ]
}

It will enforce MFA for both password authentication and token-based authentication using the API.

smad
  • 229
  • 3
  • 6
  • 6
    Doing it this way would require it for both Console & API access; would it be possible to require it for _only_ Console access? – jeffbyrnes Jul 23 '14 at 19:19
  • No idea. I know that it is annoying for the API (CLI) as MFA is not well supported. BTW I do not really see the point of setting up a stronger security if it is a way to bypass it by using another access method. – smad Jul 24 '14 at 13:46
  • 4
    @smad I think the point would be that token credentials will be auto-generated and stored on the user's hard-drive so the only attack vector is getting it from the user's computer, either via malware, stealing the computer, etc. The password on the other hand might be weak or re-used on other sites, so there's an additional attack vector of brute-forcing it or getting it from a password dump from a hacked site. A password policy can help but it's hard to prevent ppl e.g. using a dictionary word with only the i replaced with a 1 or ! – danny Nov 21 '15 at 02:20
  • @jeffbyrnes When you enable a user for MFA, this is by default only enabled for console access. You then have to use IAM policy like this to define what API/CLI actions require MFA, if any. – SeanFromIT Jun 27 '16 at 16:14
  • @SeanFromIT thanks much! Very helpful, and backed by my experiences as well. Forgot about this comment from way back when :) – jeffbyrnes Jun 28 '16 at 02:26
  • 1
    I'm not sure this is working anymore - at least, unless I didn't apply it correctly! (as a new policy, assigned to the Administrators group). Both new & existing administrators on my account are able to login without having set up MFA. – Tim Malone Apr 03 '17 at 01:52
  • This doesn't deny existing permissions if the MFA is disabled but allows the user to do anything if the MFA is enabled. This cannot be cumulated to other fine-grain permissions. You should strongly warn newbies about that, it could be dangerous. This one is better https://www.obytes.com/blog/enforce-mfa-for-aws-iam-users – maxime Jan 05 '22 at 11:52
10

The accepted answer is no longer valid AFAICT. AWS has documented how you can do this through their tutorial article here:

https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_users-self-manage-mfa-and-creds.html

I followed that for my new AWS Account and Team and it worked great.

Gowie47
  • 201
  • 2
  • 4
1

Yes, you can require MFA for IAM accounts both for the web console, and for the awscli command line. In fact, it is not possible to reliably require MFA for the web console while not requiring it for the awscli command line, because both hit the same APIs. I say 'reliably' because with complex IAM policy it is possible to allow some awscli operations without MFA while enforcing MFA for the web console. However, the results are somewhat unpredictable, and besides, the IAM keys are equally if not more hazardous unprotected. My recommendation is to require it for both, and then perhaps create unprotected keys for special uses where MFA is absolutely contraindicated. For automated processes roles would be a better choice generally.

To make MFA operations on the command line easier, I've created a set of bash scripts and a carefully crafted MFA enforcement policy example that make it easy to attach/detach vMFAd, and to start and manage MFA sessions. They work on macOS and Linux variants, but likely not on Windows (not tested).

Ville
  • 247
  • 2
  • 11
0

Apparently not. It appears that MFA for IAM accounts is optional, although you'd do best to post to the AWS Support Forums for an authoritative answer.

Tom O'Connor
  • 27,440
  • 10
  • 72
  • 148
  • Thanks for the link, but it answers a different question about when MFA will be required once it is enabled. This question is about whether the enabling can be enforced. – Joe Feb 28 '13 at 15:03
0

We documented a few considerations for AWS API multifactor in general (where to add the conditions, what are the implications etc.) in the documentation for some custom tooling (https://github.com/kreuzwerker/awsu) we developed for using Yubikeys as source for the TOTP tokens. This makes working with roles and long-term credentials + session tokens pretty easy.

yawn
  • 251
  • 2
  • 3