AWS Identity Center - MFA token

Question

Hi, I've an AWS organisation account setup with Identity Center enabled in the management account. I've enabled MFA sign-in for a test user. I've applied an SCP to one of the member account to deny certain operations.

```
 Statement:
      - Sid: DenyAllExceptListedActionsIfNoMFA
        -----
        Condition:
          BoolIfExists:
            aws:MultiFactorAuthPresent: 'false'
```

Now when I sign in as the test user to the member account  these operations are denied for me irrespective of whether I used MFA to sign-in or not. Would you be able to give an example of how this is supposed to work on console as well as on command line? How do I pass the token? Thanks.

Accepted Answer

As far as I know, currently, you cannot pass MFA status from the Identity Center requirement to the 'Permission Set' created in an account from the IAM IC Service. You will need to require MFA on our IAM IC Users and assume that access to the account was provided only because the user could log in and access the account through Identity Center.
The users in IC are not users presented to your member account(s). The access is granted through an assumed Role.
This is something the SSO/IC team had been working on but I do not think is released yet.
Long and short, that Bool Condition will only work on individual IAM users on a per member account basis.

Answer

Hi,

By default, [all requests are implicitly denied ](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html#policy-eval-denyallow)with the exception of the AWS account root user, which has full access.

Can you try to create an Allow policy with aws:MultiFactorAuthPresent: 'true'

Best regards,   
Ricardo Makino

AWS Identity Center - MFA token

Contenuto pertinente