search

Configuring MFA-protected API access

  • With IAM policies, you can specify which API operations a user is allowed to call.

    • In some cases, you might want the additional security of requiring users to be authenticated with AWS MFA before you allow them to perform particularly sensitive actions.

      • For example, you might want to restrict a destructive action like TerminateInstances and ensure that users can perform that action only if they authenticate with an AWS MFA device.

  • This policy grants users permission to call the Amazon EC2 StopInstances and TerminateInstances actions only if the user has authenticated using MFA.

{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Action": [
      "ec2:StopInstances",
      "ec2:TerminateInstances"
    ],
    "Resource": ["*"],
    "Condition": {"Bool": {"aws:MultiFactorAuthPresent": "true"}}
  }]
}

hashtag
get-session-token

  • The GetSessionToken API operation returns a set of temporary security credentials to an existing IAM user.

  • This is useful for providing enhanced security, such as allowing AWS requests only when MFA is enabled for the IAM user.

PreviousS3 Object LockNextIAM Permission Boundaries

Last updated