Created
January 9, 2020 12:09
-
-
Save kalpik/36beffd25bda2a0c38905176f7e557aa to your computer and use it in GitHub Desktop.
A small script to enforce users to use MFA, while not requiring it for API access
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Import-Module -Name AWSPowerShell.NetCore | |
$users = Get-IAMUserList | |
foreach($user in $users.UserName) | |
{ | |
# Do not add API-only users to MFA jail | |
try { | |
$null = Get-IAMLoginProfile -UserName $user | |
} | |
catch { | |
Write-Output "Removing API-only user '$user' from MFA jail" | |
Remove-IAMUserFromGroup -GroupName 'ForceMFA' -UserName $user -Force | |
continue | |
} | |
if(Get-IAMMFADevice -UserName $user) | |
{ | |
Write-Output "Removing user '$user' from MFA jail, as they have MFA enabled" | |
Remove-IAMUserFromGroup -GroupName 'ForceMFA' -UserName $user -Force | |
} | |
else | |
{ | |
Write-Output "Adding user '$user' to MFA jail, as they have MFA disabled" | |
Add-IAMUserToGroup -GroupName 'ForceMFA' -UserName $user -Force | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment