· Diego Martin · tutorials · 4 min read
Enforce 2FA to all users in AWS IAM
Learn a way to enforce 2FA configuration to any IAM user using a policy within an AWS account
As the security landscape evolves, it becomes increasingly important to ensure that access to your AWS account is both secure and controlled. A critical component of securing access is the implementation of Two-Factor Authentication (2FA). 2FA adds an additional layer of security by requiring users to present two forms of identification before being granted access. This article will guide you through the process of enforcing 2FA for all IAM users in your AWS account, ensuring that your data remains secure.
Creating an IAM Policy
To enforce 2FA for IAM users, we must create a custom IAM policy. This policy will restrict access to the AWS Management Console unless the user has configured 2FA. Here are the steps to create a policy named, for example, RequireMFA:
- Navigate to the IAM console in your AWS account.
- Select “Policies” from the sidebar and click the “Create policy” button.
- Choose the JSON tab and paste the following policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowListActions",
"Effect": "Allow",
"Action": [
"iam:ListUsers",
"iam:ListVirtualMFADevices"
],
"Resource": "*"
},
{
"Sid": "AllowUserToCreateVirtualMFADevice",
"Effect": "Allow",
"Action": [
"iam:CreateVirtualMFADevice"
],
"Resource": "arn:aws:iam::*:mfa/*"
},
{
"Sid": "AllowUserToManageTheirOwnMFA",
"Effect": "Allow",
"Action": [
"iam:EnableMFADevice",
"iam:GetMFADevice",
"iam:ListMFADevices",
"iam:ResyncMFADevice"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "AllowUserToDeactivateTheirOwnMFAOnlyWhenUsingMFA",
"Effect": "Allow",
"Action": [
"iam:DeactivateMFADevice"
],
"Resource": "arn:aws:iam::*:user/${aws:username}",
"Condition": {
"Bool": {
"aws:MultiFactorAuthPresent": "true"
}
}
},
{
"Sid": "AllowChangeOwnPasswordAndCreateLoginProfile",
"Effect": "Allow",
"Action": [
"iam:ChangePassword",
"iam:CreateLoginProfile"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "BlockMostAccessUnlessSignedInWithMFA",
"Effect": "Deny",
"NotAction": [
"iam:CreateVirtualMFADevice",
"iam:EnableMFADevice",
"iam:ListMFADevices",
"iam:ListUsers",
"iam:ListVirtualMFADevices",
"iam:ResyncMFADevice",
"iam:ChangePassword",
"iam:CreateLoginProfile"
],
"Resource": "*",
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "false"
}
}
}
]
}
This policy allows users to manage their own MFA devices and requires MFA to be present for most actions within the AWS Console. It permits the listing of users and virtual MFA devices, the creation and management of their own MFA, and changing their own password. Importantly, it denies access to other actions unless the user is signed in with MFA.
Create an IAM Group
Optionally, you can create an IAM group to manage users who require 2FA. This can be useful for organizing users with similar permission requirements. For example, you might create a group called, for example, Developers and attach the RequireMFA policy to this group. To create a group and attach the policy:
- Navigate to the IAM console in your AWS account.
- Select “Groups” from the sidebar and click the “Create New Group” button.
- Name the group (e.g., Developers) and attach the RequireMFA policy you created earlier.
- Add users to the group as necessary.
This approach ensures that all members of the group must configure 2FA for their accounts.
Test Access to Console
To test the effectiveness of the RequireMFA policy:
- Log in to the AWS Management Console as a user affected by the policy but without 2FA configured.
- Notice that access is severely restricted, with unauthorized errors for most actions
As you implement the steps outlined above, you’ll significantly enhance the security posture of your AWS account by ensuring that all IAM users are required to use Two-Factor Authentication (2FA). This simple yet effective measure adds a critical layer of security, safeguarding against unauthorized access and potential security breaches.
Remember, security is not a one-time setup but a continuous process. Regularly review your policies, monitor IAM activities, and educate your users about security best practices. By fostering a culture of security within your organization, you can better protect your resources and data in the cloud.
Implementing 2FA across your AWS environment is a proactive step towards securing your digital assets. As you continue to explore AWS’s robust security features, consider integrating other security measures such as identity federation, encryption, and access logging to further bolster your defenses.
In conclusion, the journey to secure cloud computing is ongoing, and enforcing 2FA for IAM users is a vital milestone. By taking these steps today, you ensure a safer tomorrow for your AWS environment. Stay secure, and happy cloud computing!
