MFA for IAM Users, Service Accounts and CLI Access
Do you need MFA on your IAM User accounts? What about Service Accounts or IAM users used for CLI access only?
It depends on what the user account is used for. It can be used in the following potential ways
- Console Access (you absolutely NEED MFA here)
- CLI and Programmatic Access using IAM User Keys - You MAY be able to get away without MFA here (the biggest risk is if your laptop is stolen..even then, bitlocker on your OS should provide a level of protection)
- Service Accounts used for Programmatic access - This is a special case of point 2 above. This is a true programmatic identity. It doesn't make sense to put MFA around this, as that would block all automated access. However, on windows a batch script can automatically retrieve a token that prompts you for MFA. Same on linux. The idea is that your CLI / Cloud Shell / gCloud command prompt will you for MFA each time you run a command.
Summary
MFA is key to securing your credentials. Each of the access methods - console access and programmatic access, can be protected with MFA.
Leave a Reply