Sign in
agent:

Audit of AWS IAM Users for MFA Compliance

There was a problem that the LLM was not able to address. Please rephrase your prompt and try again.

The workflow involves listing AWS IAM users who have console passwords and checking if they have Multi-Factor Authentication (MFA) enabled. Users are then categorized based on whether MFA is enabled or not. The categorization helps in identifying users who are compliant with the security rule of having MFA enabled. This process ensures that all users with console access are adhering to security best practices. The outcome is a clear understanding of the current compliance status regarding MFA among IAM users.

  1. 1

    This script lists AWS IAM users with console passwords and checks if they have MFA enabled, categorizing them based on compliance.

    import boto3 import json # Initialize boto3 client for IAM client = boto3.client( 'iam', aws_access_key_id=getEnvVar('AWS_ACCESS_KEY_ID'), aws_secret_access_key=getEnvVar('AWS_SECRET_ACCESS_KEY'), region_name='us-west-2' ) # Get all IAM users users = client.list_users()['Users'] users_with_mfa_status = {} for user in users: username = user['UserName'] # Check if the user has a console password login_profile = None try: login_profile = client.get_login_profile(UserName=username) except client.exceptions.NoSuchEntityException: # User does not have a console password continue # Get MFA devices for the user mfa_devices = client.list_mfa_devices(UserName=username)['MFADevices'] # Determine MFA status mfa_enabled = len(mfa_devices) > 0 compliance_status = 'Compliant' if mfa_enabled else 'Non-Compliant' users_with_mfa_status[username] = { 'MFAEnabled': mfa_enabled, 'ComplianceStatus': compliance_status } # Print the categorized users print(json.dumps(users_with_mfa_status, indent=4, default=str))
    copied
    1

AI created and expert curated runbooks

© 2025 DagKnows, Inc. All rights reserved
Resources
Blog
Company
Legal
Privacy policy