问题
I'd like to require the usage of MFA to IAM users when they log into the AWS Console. I know that's possible to do that for API access, but not sure whether is possible to achieve the same when logging into the Console.
回答1:
Update
You can enforce your requirement with an IAM Policy based on an IAM condition that specifies the aws:MultiFactorAuthAge key as outlined in section IAM Policies with MFA Conditions within Configuring MFA-Protected API Access - you can enforce this at two levels:
- Existence — To simply verify that the user has been authenticated with MFA, check that the aws:MultiFactorAuthAge key is not null. (If the user has not been authenticated with MFA, this key doesn't exist and therefore is null.)
- Duration — If you want to grant access only within a specified time after MFA authentication, use a numeric condition type to compare the key's age to a value (such as 3600 seconds).
Accordingly, a generic IAM policy for all AWS actions that simply tests for the existence of MFA authentication might look as follows:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*",
"Condition":
{
"Null":{"aws:MultiFactorAuthAge":"false"}
}
}
]
}
Initial Answer
This is a case of 'it just works', i.e. there's nothing to be done regarding MFA-Protected Access for the AWS Management Console specifically, insofar the console uses the API in turn and calls every API action with the logged in user's IAM credentials accordingly (once a user has configured and enabled an MFA device, the login page will require entering the MFA token automatically) - see also section Using MFA-Protected APIs Through the Console within Configuring MFA-Protected API Access:
AWS evaluates MFA-protected API policies for actions in the console, such as terminating an Amazon EC2 instance. Set up the IAM user with an MFA device and enable an MFA-protected API policy. The user can then simply log into the console with MFA authentication and is subject to the policies for MFA-protected APIs. For users who already have an assigned MFA device, the console experience doesn't change (except for optional time limits on certain MFA-protected APIs that require more frequent re-authentication). For more information on setting up an IAM user with an MFA device, see Setting Up an MFA Device.
回答2:
In the meantime AWS itself has provided a tutorial on how to force Users to use a MFA device while still enabling them to manage a MFA device on their own. This is quite similar to the updated answer from Steffen, but differs in the details.
It works by
- Creating a IAM Policy based on this official AWS template which basically forbids everything except IAM operations without an active MFA Login
- Assign the Policy to you relevant IAM users – or better – IAM Groups.
- After you created IAM users and passed them their initial credentials, the users will receive a You are not authorized to perform this operation. on all operations except on accessing the IAM security console.
- After registering a MFA device, logging out and then again in with their new MFA token they will be able to operate everything as expected.
来源:https://stackoverflow.com/questions/21917197/how-to-enforce-iam-users-to-use-multi-factor-authentication-to-use-the-console