AWS Multi-Factor Authentication (MFA) adds an extra layer of protection on top of your user name and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password (the first factor—what they know), as well as for an authentication response from their AWS MFA device (the second factor—what they have). Taken together, these multiple factors provide increased security for your AWS account settings and resources.
In this article, we are going to explain how to enforce the usage of MFA for your IAM users (in the Console and in awscli) by using a custom policy that requires that MFA is enabled to perform any action. We are also going to provide a custom script to automate session token generation (required to use awscli).
Policy to enforce MFA for AWS IAM users
We are going to create a policy that allows IAM users to self-manage an MFA device. This policy grants the permissions necessary to complete this action from the AWS API or AWS CLI only.
Now, assign this policy to your users or groups along with the other policies you desire and they will be forced to use MFA to perform any action.
Automate temporary AWS keys generation using a custom script
With the former policy, in order to be able to use awscli, you must create a temporary session token instead. To do this, you have to run the sts get-session-token AWS CLI command, replacing the variables with information from your account, resources, and MFA device:
You’ll receive output with temporary credentials and an expiration time for those temporary credentials (by default, 12 hours). However, it’s quite painful having to do this, at maximum, every 36 hours. We created a custom script to automate this process. When invoked, it will call sts get-session-token command and populate awscli config profile with this temporary token. To invoke it, use the following command. Remember to replace the placeholder values on the script with your profile names and AWS account ID.
./aws-token.sh <username> <mfa_token_code>