Serverless function to automate enforcement of Multi-Factor Authentication (MFA) to all AWS IAM users with access to AWS Management Console.
Enforcing MFA to IAM users was a manual task. But now all you have to do is, setup Serverless Framework and run the command:
git clone https://github.com/Chan9390/aws-mfa-enforce cd aws-mfa-enforce # execute awscli commands to configure email notifications sls deploy
To add email notification feature, edit
serverless.js to set the email subject and body. Also execute the following commands before deploying:
aws ssm put-parameter --name email --type String --value [email protected] --region us-east-1 aws ssm put-parameter --name email_password --type String --value your_password --region us-east-1
(Don't forget to allow insecure apps to access your Gmail account. This setup will not work otherwise.)
This serverless function creates an IAM Group called
MFA-enforced with an inline policy which denies access to all AWS services until the IAM user activate MFA. It also has a lambda function which acts as a cron (for every 12 hours) to check for new IAM users and add it to the group.
It can also send emails to the IAM user accounts if the IAM usernames is a valid email ID. But this is optional feature.
Goto https://console.aws.amazon.com/iam/home?#/groups/MFA-enforced and remove all users from the group. Then to remove the complete serverless function execute