I am able to use the answer in this question to enforce MFA on individual IAM users and groups, via a policy: Can you require MFA for AWS IAM accounts?
But if someone creates a new IAM user, that user is not subject to the same restrictions. Is there some way to enforce MFA for all IAM users, including ones which haven't been created yet?
Another way to approach this is to set up an IAM policy so some or all operations to require a user to be 2FA authenticated. So while a user doesn't have to have 2FA turned on, they can't do anything that's protected this way unless they have authenticated.
The AWS Blog has an example which says they have to have authenticated within 300 second, which may be a bit short in practice.
{
"Statement":[{
"Action":["ec2:*"],
"Effect":"Allow",
"Resource":["*"],
"Condition":{
"NumericLessThan":{"aws:MultiFactorAuthAge":"300"}
}
}
]
}
