MFA Policy Enforcer
๐ฆ Overviewโ
This Terraform module provisions an IAM policy that enforces Multi-Factor Authentication (MFA) for all IAM users, helping secure AWS accounts against unauthorized access.
โ Key Featuresโ
- Denies AWS API access unless the request is MFA-authenticated
- Customizable policy name and description
- Helps enforce organization-wide IAM security standards
- Tags for environment and usage tracking
๐ผ Use Casesโ
- Enforce mandatory MFA usage across all IAM users
- Secure privileged IAM roles with least-privilege + MFA
- Integrate with compliance frameworks such as CIS, NIST, and ISO
- Harden IAM authentication layers in staging or production accounts
๐ฅ Input Variablesโ
| Name | Type | Description |
|---|---|---|
| region | string | AWS region for deployment |
| policy_name | string | Name for the IAM policy enforcing MFA |
| policy_description | string | Description of the policy |
๐ค Outputsโ
| Name | Description |
|---|---|
| policy_name | Name of the created IAM policy |
| policy_arn | ARN of the IAM policy for enforcement |
๐ Deployment Readinessโ
- โ Compatible with Terraform 1.0+
- โ Requires AWS Provider 5.x+
- ๐ Requires
iam:CreatePolicypermission
๐ ๏ธ Example Usageโ
module "mfa_policy_enforcer_deployment" {
source = "git::ssh://git@github.com/archiphire/aws-level-1-modules.git//identity/mfa-policy-enforcer?ref=v1.0.0"
region = "us-east-1"
policy_name = "EnforceMFAAccess"
policy_description = "Enforces MFA for all IAM users in the account"
}
terraform init
terraform plan
terraform apply
or
tofu init
tofu plan
tofu apply
๐งน Cleanupโ
Terraform Destroy:
terraform destroy
or
tofu destroy
Manual Deletion:
aws iam delete-policy --policy-arn arn:aws:iam::<account-id>:policy/EnforceMFAAccess
โ ๏ธ If the policy is attached to users or groups, remove those attachments first to avoid lockout.
๐ก๏ธ Notesโ
This is a Level 1 security module designed to enforce MFA across AWS accounts.
To activate the policy, attach it to IAM users, groups, or roles as required.
Make sure at least one user has recovery access in case MFA becomes misconfigured.
๐ Deployment Package Noticeโ
This module is part of the Level 1 AWS License Tier.
To access the full deployment package and source code, subscribe to Archiphire.