This README provides a detailed overview of the AWS MFA Enforcement Stack and its resources, which automate the requirement for IAM users to have Multi-Factor Authentication (MFA) enabled if they possess console access.
AWS MFA Enforcement Stack is an AWS CloudFormation template that can be used to enforce Multi-Factor Authentication (MFA) for IAM users with console access. The CloudFormation stack sets up an environment where IAM users without MFA are restricted to managing their credentials until MFA is enabled for their accounts.
The stack creates several resources to support this functionality:
EnforceMFAPolicy: An IAM managed policy that only allows users to manage their credentials and MFA devices.Group: An IAM group to which non-compliant users will be added. This group is attached to theEnforceMFAPolicy.IamUserMfaEnabled: A Config rule that checks if IAM users have MFA enabled.RemediationConfiguration: A Config remediation that triggers an SNS notification when theIamUserMfaEnabledrule finds a non-compliant user.LambdaLogGroup: A Log Group for logging outputs from the Lambda function.LambdaExecutionRole: An IAM role with permissions for the Lambda function to manage users and log events.FunctionInvokePermission: Grants the SNS topic permission to invoke the Lambda function.LambdaFunction: A Lambda function that adds non-compliant IAM users to the restricted IAM group.SNSTopic: An SNS topic for publishing notifications about non-compliant IAM users.SNSSubscription: A subscription that links theSNSTopicto theLambdaFunctionfor automatic triggering.SNSPublisherRole: An IAM role that allows SSM to publish to theSNSTopic.SNSTopicPolicy: Policy defining who can publish to theSNSTopic.
- Log in to your AWS Management Console.
- Navigate to the AWS CloudFormation service.
- Choose to create a new stack and either upload the provided CloudFormation template file or input the Amazon S3 URL where the template is hosted.
- Follow the prompts in the CloudFormation Wizard to specify stack details and configure stack options.
- Review the stack details, acknowledging any capabilities that require acknowledgement (e.g., IAM resource creation).
- Click "Create stack" to deploy the stack to your AWS account.
After deployment:
- AWS Config will periodically check the compliance status of IAM users against the
IamUserMfaEnabledrule requirement. - Upon detecting non-compliant users, an SNS notification is sent to the
SNSTopic. - The
SNSSubscriptionwill trigger theLambdaFunctionwhen a message is published to theSNSTopic. - The
LambdaFunctionruns, adding the identified non-compliant user to theGroupwith the attachedEnforceMFAPolicythat restricts actions to MFA management. - The user will be compelled to set up MFA before they can perform any other actions in the AWS Management Console.
- AWS account with sufficient permissions to create the resources listed above.
- Appropriate IAM permissions for the creation and execution of CloudFormation stacks, AWS Config rules, Lambda functions, IAM Managed Policies, and SNS topics.
- Knowledge of CloudFormation and the AWS environment for potential stack customization.
If additional actions are required for compliance or if there are specific actions that should still be allowed without MFA, modify the EnforceMFAPolicy within the template. Ensure to test any changes in a controlled environment before deploying to production.
This stack implements the least privilege principle by only allowing IAM users to manage their credentials and MFA devices until they comply with the MFA policy. Audit your environment regularly to ensure that security policies are being enforced as intended.
This stack is provided as-is, with no warranties. For any issues or feature requests, please use GitHub issues on the repository page where this CloudFormation template is hosted.