Configuring MFA-protected API access

With IAM policies, you can specify which API operations a user is allowed to call.
- In some cases, you might want the additional security of requiring users to be authenticated with AWS MFA before you allow them to perform particularly sensitive actions.
  - For example, you might want to restrict a destructive action like TerminateInstances and ensure that users can perform that action only if they authenticate with an AWS MFA device.
This policy grants users permission to call the Amazon EC2 StopInstances and TerminateInstances actions only if the user has authenticated using MFA.

{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Action": [
      "ec2:StopInstances",
      "ec2:TerminateInstances"
    ],
    "Resource": ["*"],
    "Condition": {"Bool": {"aws:MultiFactorAuthPresent": "true"}}
  }]
}

`get-session-token`

The GetSessionToken API operation returns a set of temporary security credentials to an existing IAM user.
This is useful for providing enhanced security, such as allowing AWS requests only when MFA is enabled for the IAM user.

PreviousS3 Object Lock NextIAM Permission Boundaries

Last updated 4 years ago

Was this helpful?