8

I am creating more than 20 IAM users and I want to enable virtual MFA device for them. Is there any way I can do it at once for all of them or any way to automate this task ? I want to make it mandatory for all IAM users to use MFA and without setting it up they can't proceed.

GrzegorzOledzki
  • 988
  • 6
  • 21
Yeleshwar
  • 81
  • 3
  • https://aws.amazon.com/blogs/security/how-to-delegate-management-of-multi-factor-authentication-to-aws-iam-users/ – dmourati Dec 17 '16 at 22:46
  • 1
    @dmourati - isn't this just an answer if you provided that link and a quick summary of pointing out to `Condition` `"aws:MultiFactorAuthAge": "true"` to be used in policies? – GrzegorzOledzki Dec 17 '16 at 23:51
  • Maybe, but that was all I had time for and wanted to give a pointer in the right direction. – dmourati Dec 18 '16 at 00:43

2 Answers2

1

My solution to this is a two step activation process for new users:

  1. Create the user with enough rights to change their password and update their MFA. Tell them they need to update their MFA. They do not get into their 'real' groups yet.
  2. Have a polling script that runs periodically. If a user has their MFA activated, they get added to their designated groups.

Users who don't update their MFA will be able to do... nothing. When they complain, send them the reminder of how to update their MFA. When they come back with OK, I've done it, run the #2 script.

sysadmin1138
  • 131,083
  • 18
  • 173
  • 296
-2

What about the following page, seems to answer your problem: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_cliapi.html

Pixel
  • 146
  • 5
  • This is a link-only answer, please add at least a summary of the solution as links do rot. – sysadmin1138 Mar 19 '17 at 17:32
  • Sorry for that.. Well its self explanatory and i like to keep it simple, i'd use the powershell command - New-IAMVirtualMFADevice and script that for each of the users – Pixel Apr 02 '17 at 10:04