serban-petrescu/Policy.json

## Policy.json
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "DenyAllExceptListedIfNoMFA",
            "Effect": "Deny",
            "NotAction": [
                "iam:ChangePassword",
                "iam:GetAccountPasswordPolicy",
                "iam:CreateVirtualMFADevice",
                "iam:EnableMFADevice",
                "iam:GetUser",
                "iam:ListMFADevices",
                "iam:ListVirtualMFADevices",
                "iam:ResyncMFADevice",
                "sts:GetSessionToken"
            ],
            "Resource": "*",
            "Condition": {
                "BoolIfExists": {
                    "aws:MultiFactorAuthPresent": "false"
                }
            }
        }
    ]
}

## Usage.bat
aws sts get-session-token ^
  --serial-number arn:aws:iam::<account>:mfa/<user> ^
  --token-code <mfa token>
	{
	"Version": "2012-10-17",
	"Statement": [
	{
	"Sid": "DenyAllExceptListedIfNoMFA",
	"Effect": "Deny",
	"NotAction": [
	"iam:ChangePassword",
	"iam:GetAccountPasswordPolicy",
	"iam:CreateVirtualMFADevice",
	"iam:EnableMFADevice",
	"iam:GetUser",
	"iam:ListMFADevices",
	"iam:ListVirtualMFADevices",
	"iam:ResyncMFADevice",
	"sts:GetSessionToken"
	],
	"Resource": "*",
	"Condition": {
	"BoolIfExists": {
	"aws:MultiFactorAuthPresent": "false"
	}
	}
	}
	]
	}
	aws sts get-session-token ^
	--serial-number arn:aws:iam::<account>:mfa/<user> ^
	--token-code <mfa token>