CloudFormation: Enable MFA

TL;DR

This guide shows you how to enforce Multi-Factor Authentication (MFA) for AWS accounts using CloudFormation. We’ll create a policy that requires MFA for all users and apply it to your account.

Prerequisites

• An active AWS account
• Basic understanding of IAM policies
• AWS CLI configured (optional, but helpful)

Steps

1. Create an IAM Policy

   We’ll start by creating an IAM policy that denies access to AWS services unless MFA is enabled. Copy the following JSON into a file named mfa-policy.json:

   {
     "Version": "2012-10-17",
     "Statement": [
       {
         "Effect": "Deny",
         "Action": "*",
         "Resource": "*",
         "Condition": {
           "Bool": {
             "aws:MultiFactorAuthPresent": "false"
           }
         }
       ]
     }
   

   Upload this policy to IAM using the AWS Management Console or the CLI:

   aws iam create-policy --policy-name MFARequiredPolicy --policy-document file://mfa-policy.json
   

2. Create a CloudFormation Template

   Now, we’ll create a CloudFormation template to attach the policy to users or groups. Copy the following YAML into a file named cloudformation.yaml:

   Resources:
     MFARequiredPolicyAttachment:
       Type: AWS::IAM::PolicyAttachment
       Properties:
         PolicyARN: !Ref MFARequiredPolicyName
         Users: # Or Groups, depending on your needs
           - !Ref User1
         #Groups:
         #  - !Ref Group1
   Parameters:
     MFARequiredPolicyName: 
       Type: String
       Description: The ARN of the MFA Required Policy.
     User1: # Or Group1, depending on your needs
       Type: String
       Description: The name or ARN of the user to attach the policy to.
   

   Important: Replace Users with Groups if you want to apply the policy to IAM groups instead of individual users. Remove the commented-out section as appropriate.

3. Deploy the CloudFormation Stack

   Upload your template to CloudFormation and create a stack. You’ll need to provide the ARN of the MFA Required Policy you created in step 1, and the user(s) or group(s) you want to apply it to.

   You can deploy using the AWS Management Console or the CLI:

   aws cloudformation create-stack --template-body file://cloudformation.yaml --parameters ParameterKey=MFARequiredPolicyName,ParameterValue= ParameterKey=User1,ParameterValue= --capabilities CAPABILITY_IAM
   

   Replace <your_policy_arn> with the actual ARN of your MFA policy and <your_user_name> with the user’s name.

4. Verify MFA Enforcement

   After the stack is created, attempt to log in as the specified user(s) without MFA enabled. You should receive an access denied error. Then, enable MFA for the user and try again – you should now be able to log in successfully.