Require Multi-Factor Authentication (MFA) for IAM User in AWS

As a Security Best Practice we should always require IAM Users to have Multi-Factor Authentication (MFA) enabled when accessing the AWS Console.

The problem is how do we require users to configure MFA?

The IAM policy below can be used to require users to enable their MFA. If they do not have MFA, all their permissions will be denied. This will make access to your AWS Account more secure.



IAM Policy that requires IAM Users to have Multi-Factor Authentication (MFA)

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowViewAccountInfo",
            "Effect": "Allow",
            "Action": [
                "iam:ListUsers",
                "iam:ListMFADevices",
                "iam:GetAccountPasswordPolicy",
                "iam:GetAccountSummary"
            ],
            "Resource": "*"
        },
        {
            "Sid": "AllowChangeOwnPasswordsOnFirstLogin",
            "Effect": "Allow",
            "Action": [
                "iam:ChangePassword",
                "iam:GetUser"
            ],
            "Resource": "arn:aws:iam::*:user/${aws:username}"
        },
        {
            "Sid": "AllowChangeOwnPasswordsAfterMFAEnabled",
            "Effect": "Allow",
            "Action": [
                "iam:GetLoginProfile",
                "iam:UpdateLoginProfile"
            ],
            "Resource": "arn:aws:iam::*:user/${aws:username}"
        },
        {
            "Sid": "AllowManageOwnVirtualMFADevice",
            "Effect": "Allow",
            "Action": [
                "iam:CreateVirtualMFADevice",
                "iam:DeleteVirtualMFADevice"
            ],
            "Resource": "arn:aws:iam::*:mfa/${aws:username}"
        },
        {
            "Sid": "AllowManageOwnUserMFA",
            "Effect": "Allow",
            "Action": [
                "iam:DeactivateMFADevice",
                "iam:EnableMFADevice",
                "iam:ListMFADevices",
                "iam:ResyncMFADevice"
            ],
            "Resource": "arn:aws:iam::*:user/${aws:username}"
        },
        {
            "Sid": "DenyAllExceptListedIfNoMFA",
            "Effect": "Deny",
            "NotAction": [
                "iam:ListUsers",
                "iam:ListMFADevices",
                "iam:ChangePassword",
                "iam:GetUser",
                "iam:CreateVirtualMFADevice",
                "iam:DeleteVirtualMFADevice",
                "iam:DeactivateMFADevice",
                "iam:EnableMFADevice",
                "iam:ListMFADevices",
                "iam:ResyncMFADevice"
            ],
            "Resource": "*",
            "Condition": {
                "BoolIfExists": {
                    "aws:MultiFactorAuthPresent": "false"
                }
            }
        }
    ],
    "Id": "RadishLogic.com MFA Required IAM Policy"
}

The name of my IAM Policy is MFA-Required, you may use whatever name you desire to use.

Attaching the MFA-Required IAM Policy

You may attach the MFA-Required IAM Policy above via

  • User’s Inline Policy
  • IAM Group Policy
  • Attach it directly to the IAM User

I prefer creating an MFARequired IAM Group, and attaching the MFA-Required IAM policy to it. With this I will be able to create a Lambda Function that checks if all my IAM Users who has access to AWS Console is a member of MFARequired IAM Group.


MFA-Required IAM Policy Notes

The policy above has the following features.

  • Denies all resource or service access if MFA is not setup for the IAM User. It only has permission when MFA is not enabled for accessing the IAM User’s page and for adding or deleting MFA.
  • This will even deny users with attached AdministratorAccess Policy from accessing other resources if MFA is not enabled.
  • User can change password even if MFA is not configured when “User must create a new password at next sign-in” is selected .
  • Password change is disabled via IAM Console if the user has not yet configured MFA.
  • IAM Users can only see their own IAM settings. They will not be able to see settings for other users.
  • IAM User can configure Virtual MFA, U2F and hardware MFA.

The policy above does NOT include the following even when MFA is configured.

  • Access Keys
  • Signing Certificates
  • SSH Public Keys for CodeCommit
  • Git Credentials for CodeCommit

I hope the above IAM Policy helps in requiring your IAM User to have MFA.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.