Enforce MFA on AWS for IAM users with user groups & policies
Goal
We came across the need to enforce MFA usage on all IAM accounts for security reasons, but we don’t require to limit more AWS permissions so we thought of just telling the users is required and manually deactivate the user if they didn’t activate it after 7 days… But this is way to manual and require us to persecute the users as if we were the Spanish Inquisition…
So we decided to use user groups and policies to enforce MFA on users, otherwise, they will not be able to do anything but change their password and enable MFA
How it will work
We will create an IAM group, for example, “Enforce_MFA” and we will add all users we want to enforce MFA on that group, then we will attach a policy that will:
- Without MFA will only allow the user to enable MFA, change the password to his own user and list users (otherwise the first time the user gets his account will not be able to change his password, nor enable MFA)
- It only allows certain users to modify groups even if MFA is activated
NOTE: once the user has MFA, it will have access to all AWS resources (except IAM, that he will not be able to modify user groups or their policies)
The policy
After some research, it looks like there are tons of examples on how to do this with policies, and after quite some testing, we made a combination that works for us. Here’s the full policy:
This policy was tested and it’s been used right now, if you find any issue on it, comments are welcome! The things I tested:
On users without MFA
- I was able to change password and active MFA on new account
- I was able to change password again after account creation
- I was not able to do anything else, nor modify anything else than my own user
On users with MFA
- Cannot modify user groups
- Cannot modify groups attached of other users or my own user
- Cannot create new policy versions
- Can modify and work on console as if we were admins (We have other group that allows this, so this is intended and not related to this policy)
Remember that this is useful for our use-case but you can modify it to suit your needs, for example, if you want certain policies only to not be modified, the same goes for groups…
Using AWS CLI
If you try to make requests with AWS CLI all of them will fail because there’s no MFA authentication on the request itself. If you need to use the CLI follow this guide
There’s also this script I made to make this automatically
