mfa-enabled-for-iam-console-access
Checks if Amazon multi-factor authentication (MFA) is enabled for all Amazon Identity and Access Management (IAM) users that use a console password. The rule is COMPLIANT if MFA is enabled.
Note
Re-evaluating this rule within 4 hours of the first evaluation will have no effect on the results.
Note
The AWS::IAM::User
resource type can only be recorded by Amazon Config in Regions where Amazon Config was available before February 2022. AWS::IAM::User
cannot be recorded in Regions supported by Amazon Config after February 2022.
Additionally, if you have selected to record AWS::IAM::User
in at least one Region, periodic rules such as this rule that report compliance on AWS::IAM::User
will run evaluations on AWS::IAM::User
in all Regions where the periodic rule is added, even if you have not enabled the recording of AWS::IAM::User
in the Region where the periodic rule was added.
You should only deploy this rule to one of the supported Regions to avoid unnecessary evaluations and API throttling. Not enabling the recording of global IAM resource types will not prevent this rule from running evaluations, if you have enable the recording of global IAM resource types in another Region. To avoid unnecessary evaluations, you should limit the deployment of this rule to one Region.
Identifier: MFA_ENABLED_FOR_IAM_CONSOLE_ACCESS
Resource Types: AWS::IAM::User
Trigger type: Periodic
Amazon Web Services Region: All supported Amazon regions except Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Melbourne), Israel (Tel Aviv), Canada West (Calgary), Europe (Spain), Europe (Zurich) Region
Parameters:
- None
Amazon CloudFormation template
To create Amazon Config managed rules with Amazon CloudFormation templates, see Creating Amazon Config Managed Rules With Amazon CloudFormation Templates.