An RodriguezTo enhance security, you can enable multi-factor authentication (MFA) also for issuing CLI commands.
You can configure your MFA device by going to the IAM console, searching a user and follow these arrows:
IAM policy example
For example, you configure a Trust Policy as copied below. Notice the Condition to have MultiFactorAuthPresent. This way, in order for a user to assume a role in the CLI, the user must have an MFA token.
This condition can be applied to any Action of any IAM policy.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::nnnnnnnnnnnn:user/user.name"
]
},
"Action": "sts:AssumeRole",
"Condition": {
"Bool": {
"aws:MultiFactorAuthPresent": "true"
}
}
}
]
}
Manually using the CLI to obtain the temporary session tokens and setting them up as environment variables can be a hassle. I came up with this quick script to automate the job.
In the following script, you only have to replace YOUR_MFA_ARN with the ARN of the MFA device you have configured in your security settings in your AWS IAM user.
Then you can either source or execute the script.
Full article here
Here's the bash script aws-mfa-cli.sh:
