This policy requires MFA for CLI use as well

[adespain]

I have tested the ForceMFA policy in the document and noticed that now even the CLI is not usable unless a temporary id, key and token are generated each time as mentioned in this article: https://aws.amazon.com/premiumsupport/knowledge-center/authenticate-mfa-cli/

Does the ForceMFA policy make the user access key and ID found in the User's security credentials page useless since now they can only use the CLI with the temp credentials that expire after 36 hours (as mentioned in the article above)? What would the policy need to look like if we wanted to only use MFA for the console and not the CLI access? Or would that not be considered best practice?

[Chr96er]

Apparently this can be achieved by changing the BoolIfExists at the end to Bool according to: https://aws.amazon.com/premiumsupport/knowledge-center/mfa-iam-user-aws-cli/

It seems like Bool evaluates to false if the key is missing (hence allow) whereas BoolIfExists evaluates to true (hence deny).

However, this only solved the problem for me for some services like s3 which works as expected via the CLI. If I try to run aws glue get-table... I still get an AccessDeniedException unless I detach the Force_MFA policy. I can't see a reason why there should be any difference in S3 and Glue API calls so I must assume this is a bug and not a problem with the policy.