Is the ‘Enforce MFA’ AWS policy effective?
At https://aws.amazon.com/premiumsupport/knowledge-center/mfa-iam-user-aws-cli/, the AWS officially recommends the ‘Enforce MFA’ policy for account security. However, some users question the effectiveness of this policy due to the presence of the ‘iam:DeleteVirtualMFADevice’ action. This article aims to provide clarity on this matter.
Understanding the ‘Enforce MFA’ policy
The ‘Enforce MFA’ policy is designed to enforce Multi-Factor Authentication (MFA) as an additional security measure for AWS accounts. It denies most access actions unless the user is signed in with MFA.
The policy explicitly specifies actions that are exempted from the MFA requirement, such as managing virtual MFA devices, listing users, and listing account aliases. These actions allow users to set up and manage their MFA devices without requiring MFA authentication.
Deactivating and deleting MFA devices
In order to delete an MFA device, it is recommended to first deactivate it. Once deactivated, the MFA device cannot be used for MFA authentication. The presence of the ‘iam:DeleteVirtualMFADevice’ action in the policy allows users to perform this necessary step.
It is important to note that deleting an MFA device does not imply bypassing the MFA requirement. The policy ensures that users cannot access sensitive resources or perform critical actions without MFA authentication, even if they have access tokens.
Conclusion
The ‘Enforce MFA’ AWS policy is effective in enforcing MFA as an additional layer of security. The presence of the ‘iam:DeleteVirtualMFADevice’ action allows users to properly manage and remove their MFA devices, while still ensuring the MFA requirement is in place for sensitive actions. It is recommended to follow AWS’s best practices and deactivate MFA devices before deleting them to ensure account security.