mardi 27 janvier 2015

enforce MFA for AWS console login, but not for API calls

I am looking to enforce all IAM users(local and remote) to enable and activate their MFA devices. I want them all to enable MFA to do their respective tasks.


I am trying with the following policy





{
"Effect": "Allow",
"Action": "*",
"Resource": "*",
"Condition": {"Bool": {"aws:MultiFactorAuthPresent": "true"}}
}



However; this policy applies irrespective of how you are accessing the services, through console or through APIs


There is a lot of automation done by all users and their automation breaks as MFA authentication was not implied.


As a first step, we wish everybody to atleast enables MFA for console login; but the same should not enforce them to use MFA for API calls used in automation.


Is this achievable through IAM policy?


Thanks





Aucun commentaire:

Enregistrer un commentaire