In today's cloud-driven world, securing access to your AWS resources is more critical than ever. One effective way to enhance security is by enforcing Multi-Factor Authentication (MFA) for all IAM users. This additional layer of protection significantly reduces the risk of unauthorized access. In this guide, we will walk you through setting up MFA enforcement for IAM users using AWS CloudFormation and Terraform.
For a detailed step-by-step guide, visit the full article on Medium.
- Create an IAM group that enforces MFA for all its members.
- Attach a policy to this group that requires users to enable MFA before they can access AWS resources.
- Allow users to manage their own IAM settings (passwords, access keys, signing certificates, SSH public keys, and MFA devices) while enforcing MFA for all other actions.
- Ensure seamless MFA setup so that users can easily enable MFA upon their next login.
- Basic knowledge of AWS IAM and infrastructure as code (IaC) tools.
- AWS CLI installed and configured on your local machine.
- Terraform installed on your local machine (for the Terraform section).
- Necessary permissions to create IAM roles, policies, and groups in your AWS account.
-
Define the CloudFormation Template
- Save the YAML content to a file named
enforce-mfa.yaml.
- Save the YAML content to a file named
-
Deploy the CloudFormation Stack
- Use the AWS CLI to deploy the CloudFormation stack:
aws cloudformation create-stack --stack-name EnforceMFAStack --template-body file://enforce-mfa.yaml --capabilities CAPABILITY_NAMED_IAM
- Use the AWS CLI to deploy the CloudFormation stack:
-
Add Users to the MFAEnforcedGroup
- After deploying the stack, add users to the
MFAEnforcedGroupusing the AWS CLI:aws iam add-user-to-group --group-name MFAEnforcedGroup --user-name <user1> aws iam add-user-to-group --group-name MFAEnforcedGroup --user-name <user2> # Repeat for other users
- After deploying the stack, add users to the
-
Verify MFA Enforcement
- Users in the
MFAEnforcedGroupwill need to enable MFA to access AWS resources. Here’s how users can set up MFA:- Log in to the AWS Management Console.
- Navigate to the IAM section.
- Go to the "Users" section and select your username.
- Click on the "Security credentials" tab.
- Scroll down to the "Assigned MFA device" section and click "Manage".
- Follow the instructions to assign a virtual MFA device (e.g., using Google Authenticator).
- Users in the
-
Test After Enabling MFA
- Once MFA is enabled, users can log out and log back in to verify they can access AWS resources as usual.
-
Define the Terraform Configuration
- Create a file named
main.tfwith the necessary Terraform code.
- Create a file named
-
Initialize Terraform
- Run the following commands to initialize Terraform and apply the configuration:
terraform init terraform apply
- Run the following commands to initialize Terraform and apply the configuration:
-
Add Users to the MFAEnforcedGroup
- Use the AWS CLI to add users to the
MFAEnforcedGroup:aws iam add-user-to-group --group-name MFAEnforcedGroup --user-name <user1> aws iam add-user-to-group --group-name MFAEnforcedGroup --user-name <user2> # Repeat for other users
- Use the AWS CLI to add users to the
-
Verify MFA Enforcement
- Users in the
MFAEnforcedGroupwill need to enable MFA to access AWS resources. Here’s how users can set up MFA:- Log in to the AWS Management Console.
- Navigate to the IAM section.
- Go to the "Users" section and select your username.
- Click on the "Security credentials" tab.
- Scroll down to the "Assigned MFA device" section and click "Manage".
- Follow the instructions to assign a virtual MFA device (e.g., using Google Authenticator).
- Users in the
-
Test After Enabling MFA
- Once MFA is enabled, users can log out and log back in to verify they can access AWS resources as usual.
By following this guide, you will enhance the security of your AWS environment by enforcing MFA for all IAM users. Using AWS CloudFormation and Terraform, you can automate this process, ensuring consistency and ease of management. This approach not only protects your AWS resources with an additional layer of security but also empowers users to manage their own IAM settings without compromising security. Implementing MFA is a best practice that helps safeguard your infrastructure against unauthorized access and potential security breaches.
For a detailed step-by-step guide, visit the full article on Medium.