Use MFA on the CLI and execute awscli commands securely
To enhance security, you can enable multi-factor authentication (MFA) also for issuing CLI commands.
You can configure your MFA device by going to the IAM console, searching a user and follow these arrows:
IAM policy example
For example, you configure a Trust Policy as copied below. Notice the `Condition` to have `MultiFactorAuthPresent`. This way, in order for a user to assume a role in the CLI, the user must have an MFA token.
This condition can be applied to any `Action` of any IAM policy.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::nnnnnnnnnnnn:user/user.name"
]
},
"Action": "sts:AssumeRole",
"Condition": {
"Bool": {
"aws:MultiFactorAuthPresent": "true"
}
}
}
]
}
Manually using the CLI to obtain the temporary session tokens and setting them up as environment variables can be a hassle. I came up with this quick script to automate the job.
In the following script, you only have to replace `YOUR_MFA_ARN` with the ARN of the MFA device you have configured in your security settings in your AWS IAM user.
Then you can either source
or execute
the script.