Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

How to Enforce 2FA for AWS IAM Identity Center with Google Workspace as an External IdP

0

I have configured Google Workspace as an external identity provider for AWS IAM Identity Center. In Google Workspace, I have enforced mandatory 2FA for all users, and they have successfully set it up. However, when my users sign in to AWS, the CloudTrail logs show that 2FA = false for their sessions.Is there a way to configure AWS to recognize Google Workspace’s 2FA? Alternatively, how can I set up additional 2FA requirements directly in AWS to ensure secure access if needed?

Topics
Security, Identity, & Compliance
Tags
AWS IAM Identity CenterAWS Identity and Access Management
Language
English
asked a year ago272 views
1 Answer
1

Because you are using an external identity provider, you rely on your IDP to enforce MFA. AWS Just uses your IDP to ensure your users are authenticated. Cloudtrail will never see that your users have authenticated with MFA as that is external to AWS. You can only enforce MFA with Identity centre if you use AWS authentication

You can configure MFA capabilities in IAM Identity Center when your identity source is configured with IAM Identity Center’s identity store, AWS Managed Microsoft AD, or AD Connector. MFA in IAM Identity Center is currently not supported for external identity providers.

https://docs.aws.amazon.com/singlesignon/latest/userguide/mfa-configure.html

EXPERT
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content