Can you require MFA for AWS IAM accounts?

Is it possible to require Multi-factor Authentication (MFA) be enabled for specific/all IAM accounts in Amazon Web Services?

There are options for password requirements and it's clear how one can choose to add it to one's account, but it's not clear if there is an option to force users to have MFA.


After a bit of looking around, it appears that the answer is "kind of". In IAM, an administrator can configure a MFA for another IAM user. Although this may be a bit tricky if you are setting up a virtual MFA, it's possible. Then, if the user has not been granted permissions to update/remove their MFA, it is effectively required.

While I have not yet determined the complete list of actions that should be denied (or simply not granted), this post seems to have the information, and I will update this answer once I have tested it.

[Update]

I was able to setup users as power-users (thereby not granting them access to an IAM functions, although I'm sure you could get more granular), and implement their MFA with them. Using this methodology, they will be unable to disable it.


The answer is yes, there is. By using a condition. For instance, for admin accounts:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "*",
      "Resource": "*", 
      "Condition":
      {
          "Null":{"aws:MultiFactorAuthAge":"false"}
      }
    }
  ]
}

It will enforce MFA for both password authentication and token-based authentication using the API.


The accepted answer is no longer valid AFAICT. AWS has documented how you can do this through their tutorial article here:

https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_users-self-manage-mfa-and-creds.html

I followed that for my new AWS Account and Team and it worked great.