使用 AWS re:Post 即表示您同意 AWS re:Post 使用條款
AWS re:Postre:Post

How to enforce enable MFA for other users

0

Hi how do i enable/enforce MFA for other users. In Users > Security Credentials Tab> Multi-factor authentication (MFA), I can set it here but i have to use my device to scan and enable the MFA. I don't think this is the way. This works fine if the user i am creating for is right beside me to scan the QR codes but to send the credentials to the user is not possible.

How to enforce so the users when logging in to the AWS console they have to enable and use MFA.

主題
安全性、身分識別與合規
標籤
AWS Identity and Access ManagementAWS IAM Identity Center
語言
English
rePost-User-9446870
已提問 1 年前檢視次數 5711 次
3 個答案
2

You are correct, the user needs to see the QR code to setup the MFA device. There is no easy way apart from applying a policy to force users to register a MFA device before being able to carry out any other tasks

Apply this policy to all users/group and add users to the group whom you require to enforce MFA

If you apply this policy to the users, they will not be able to perform any tasks unless they have added MFA.

Once the user has added their MFA, ensure the user logs out and in again.

NOTE, this is for IAM users only. SSO has its own setting to enforce MFA

{
    "Statement": [
        {
            "Condition": {
                "BoolIfExists": {
                    "aws:MultiFactorAuthPresent": "false",
                    "aws:ViaAWSService": "false"
                }
            },
            "Effect": "Deny",
            "NotAction": [
                "iam:CreateVirtualMFADevice",
                "iam:DeleteVirtualMFADevice",
                "iam:ListVirtualMFADevices",
                "iam:EnableMFADevice",
                "iam:ResyncMFADevice",
                "iam:ListAccountAliases",
                "iam:ListUsers",
                "iam:ListSSHPublicKeys",
                "iam:ListAccessKeys",
                "iam:ListServiceSpecificCredentials",
                "iam:ListMFADevices",
                "iam:GetAccountSummary",
                "sts:GetSessionToken",
                "iam:GetAccountPasswordPolicy",
                "iam:ChangePassword"
            ],
            "Resource": "*",
            "Sid": "BlockMostAccessUnlessSignedInWithMFA"
        },
        {
            "Action": [
                "iam:CreateVirtualMFADevice"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:iam::*:mfa/*",
            "Sid": "AllowManageOwnVirtualMFADevice"
        },
        {
            "Action": [
                "iam:DeactivateMFADevice",
                "iam:EnableMFADevice",
                "iam:ListMFADevices",
                "iam:ResyncMFADevice"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:iam::*:user/${aws:username}",
            "Sid": "EnforceIAMMFA"
        }
    ],
    "Version": "2012-10-17"
}
profile picture
專家
Gary Mclean
已回答 1 年前
  • rePost-User-9446870
    1 年前

    Hi Gary, I'm not really good at creating using I AM Policy, the policy you have shared above gives the user access to all resources once he logs in using the MFA ? I need the user to only have access to these:

    AmazonEC2FullAccess AWSStorageGatewayFullAccess IAMUserChangePassword

  • Gary Mclean 專家
    1 年前

    The policy is tied to only allowing the user to add their own mfa device etc. you would still need to grant the appropriate access to ec2 also etc. this policy prevents the user even accessing ec2’s Unimed’s logged in with mfa

1

To enforce Multi-Factor Authentication (MFA) for other users in AWS, you can follow these steps:

  1. Sign in to the AWS Management Console using your own credentials.

  2. Go to the IAM (Identity and Access Management) service.

  3. In the left navigation pane, click on Users.

  4. Select the user for whom you want to enforce MFA.

  5. In the Security credentials tab, locate the Assigned MFA device section.

  6. Click on the Manage link next to the Assigned MFA device.

  7. In the Manage MFA Device wizard, select the Virtual MFA device option.

  8. Provide instructions to the user on how to set up their MFA device (such as a virtual MFA app on their smartphone). They will need to download an authenticator app like Google Authenticator or Authy.

  9. Once the user has set up their MFA device, they will need to scan the QR code using their MFA app or manually enter the secret key.

  10. After the user has successfully set up their MFA device, click on Assign MFA.

By following these steps, you have now enforced MFA for the user. They will be required to use MFA when logging in to the AWS console. Repeat these steps for each user you want to enforce MFA for.

profile picture
Amol_M
已回答 1 年前
  • rePost-User-9446870
    1 年前

    Nope. This only works if the user you are creating for is right beside you to perform the above.

0

A quick question - what about IAM 'users' that are not actually humans, but just service control entities (I know it should be roles and resource-based permissions, but we are talking legacy solutions here). is there a policy I can add to the above to make sure that that affects only users trying to log in to the console? or is aws:ViaAWSService sufficient for this? I am weary of legacy 'iam accounts' whose sole purpose is to provide a key for some script somewhere, accessing s3 etc...

DMK
已回答 8 個月前
  • Gary Mclean 專家
    8 個月前

    Only apply the policy to humans. Either every group You create for humans you attach the policy or have an all users group with the policy attached. Only add humans to the group. If you add machines then it will break their access.

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南

相關內容