AWS Identity Center - MFA token

1

Hi, I've an AWS organisation account setup with Identity Center enabled in the management account. I've enabled MFA sign-in for a test user. I've applied an SCP to one of the member account to deny certain operations.

 Statement:
      - Sid: DenyAllExceptListedActionsIfNoMFA
        -----
        Condition:
          BoolIfExists:
            aws:MultiFactorAuthPresent: 'false'

Now when I sign in as the test user to the member account these operations are denied for me irrespective of whether I used MFA to sign-in or not. Would you be able to give an example of how this is supposed to work on console as well as on command line? How do I pass the token? Thanks.

2 Answers
1
Accepted Answer

As far as I know, currently, you cannot pass MFA status from the Identity Center requirement to the 'Permission Set' created in an account from the IAM IC Service. You will need to require MFA on our IAM IC Users and assume that access to the account was provided only because the user could log in and access the account through Identity Center. The users in IC are not users presented to your member account(s). The access is granted through an assumed Role. This is something the SSO/IC team had been working on but I do not think is released yet. Long and short, that Bool Condition will only work on individual IAM users on a per member account basis.

profile picture
answered a year ago
profile picture
EXPERT
reviewed 9 months ago
1

Hi,

By default, all requests are implicitly denied with the exception of the AWS account root user, which has full access.

Can you try to create an Allow policy with aws:MultiFactorAuthPresent: 'true'

Best regards,
Ricardo Makino

profile pictureAWS
answered a year ago
profile picture
EXPERT
reviewed 9 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions