How to force the user to use MFA on AWS

For me any account from anywhere should be mandatory to use the MFA, it’s a great additional security factor you can give your account.

In this tutorial I will show how we force the user to use the AWS MFA in such a way that if they disable it they will not have access to read and perform any operations.

First let’s create a policy in IAM and we’ll call this policy Force_MFA.

To create the policy go to IAM > Policies and click Create Policy, select the JSON option and paste the code that is on my GitHub, the policy name will be Force_MFA: https://github.com/daniel-fulgido/velocirraptor.git

In my AWS account I have the test-mfa user and I have AdministratorAccess permission, I’m going to add the policy we created called Force_MFA to enable forced use of MFA.

If you have multiple users in IAM and you don’t want to assign this permission one by one, create a group and assign the permission to the group.

With the policy enabled on the group or on the user, the user must enable the use of MFA in their account, if not, it will not be possible to run or list anything.

For the user to enable the MFA, just go to My Security Credentials > Assign MFA device and choose between the devices Virtual MFA device, U2F security key or Other hardware MFA device.

I hope I helped you with this post!

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store