AWS Official Blog

MFA Protection for Cross-Account Access

by Jeff Barr | on | in AWS IAM | | Comments

Shon Shah, Senior Product Manager on the AWS Identity and Access Management (IAM) team, sent along a guest post announcing new IAM functionality that enables you to enforce multi-factor authentication (MFA) when providing programmatic access across AWS accounts.

— Jeff;


IAM roles enable you to grant an IAM user in one AWS account access to resources in a different account (i.e., cross-account access). Roles provide a secure and controllable mechanism as you dont have to share AWS security credentials (secret access keys) and you can revoke the access at any time.

MFA is a security best practice that adds an extra layer of protection to your AWS account. It requires users to present two independent credentials: what the user knows (password or secret access key) and what the user has (MFA device). IAM already supports adding MFA protection when you grant access to users within a single AWS account.

Today, we are announcing the ability to add MFA protection for access across AWS accounts.

Lets take a closer look at how you might use this. In our earlier blog post, we looked at a scenario where your company had two AWS accounts. A main account where you created most of your users and a research account that stored data from several research projects. We showed how you can create a role in the research account that can be assumed by a user Joe in the main account. This enabled Joe to access Amazon DynamoDB tables in the research account even though he was not a user in the research account. But what if the data is particularly sensitive and the admin of the research account wants to add an extra layer of protection? The admin can accomplish this by using the new MFA protection, which will require Joe to use MFA before assuming the role. For the admin, it is as simple as selecting the Require MFA checkbox when creating a role in the AWS Management Console, as shown in the picture below. This ensures that only MFA-authenticated users can assume the role.

This example shows how to add MFA protection for access between AWS accounts owned by the same company. But the feature works the same for access between accounts owned by different companies.

Another benefit of the new feature is that it enables you to add MFA protection for IAM actions like creating users, changing passwords, modifying password policies etc. Previously, it was possible to add MFA protection for AWS actions other than IAM actions. Now you can add it for IAM actions too. Imagine you hired a security consultant for a month to perform penetration testing of your website. You could create an IAM user for him in your AWS account, which enables him to perform actions like launching Amazon EC2 instances, uploading logs to Amazon S3 bucket etc. Before he leaves, imagine you would like him to check the IAM configuration of your AWS account. However, you would like to ensure additional level of protection due to the privileged nature of the IAM actions. You could accomplish this by creating a role that permits IAM actions but requires using MFA before assuming the role. This way you get the extra layer of protection for privileged actions in your AWS account. You can use such roles to MFA-protect IAM actions between accounts, not just within a single account.

For additional information about this new feature, including detailed scenario and sample code, see How do I Protect Cross-Accout Access Using MFA on the AWS Security Blog or visit the Configuring MFA-Protected API Access section of the Using IAM guide.

Please let us know what you think. You can post comments below or start a thread in the IAM forum.

– Shon