What is IAM Multi-Factor Authentication (MFA)?
MFA adds a second authentication factor on top of a password or access pattern, so a stolen credential alone is not enough to act.
For human users, MFA on console sign-in blocks attackers who reset or steal a password, which is why several privilege-escalation paths depend on the target not having MFA. AWS supports virtual authenticator apps, FIDO security keys, and hardware tokens.
MFA can also gate sensitive API actions through the aws:MultiFactorAuthPresent condition key, so a policy can require a fresh MFA session before allowing high-impact operations such as deleting resources or changing IAM.
Example
{
"Condition": { "Bool": { "aws:MultiFactorAuthPresent": "true" } }
}Common mistake
Enforcing MFA on the root user but not on privileged IAM users. Any human user with broad permissions should require MFA, both to sign in and for sensitive actions.
Related terms
Analyze a real policy free
Shieldly's AI-Powered analyzer explains why an IAM policy is risky and returns the fix in seconds. No signup, no AWS credentials. Also ships as CLI, VS Code extension, GitHub Action, and CDK Guard.
Amazon Web Services (AWS) is a trademark of Amazon.com, Inc. Shieldly is not affiliated with, endorsed by, or sponsored by Amazon Web Services.