BOTO3: Find users in AWS IAM with no MFA enabled

AWS IAM provides an additional layer of security for IAM users with multi factor authentication. When mfa enabled, users will be prompted to enter the authentication code, after providing the username and the password. AWS supports Virtual MFA devices, U2F security key, Hardware MFA devices etc. Virtual MFA device, especially Google Authenticator is commonly used everywhere.

When you create an user account, you can enable MFA and ask the users to scan the QR code to configure their MFA. However when you create multiple users, there’s a chance that you may miss out on configuring MFA or sometimes users will ask you to temporarily disable as they changed/lost their mobiles or for any unknown reasons.

AWS Console – IAM page

In IAM users page, we can see users having console access and MFA status. It’s fine for users/accounts to exists with no MFA and no console access. However, users with console access but no MFA enabled requires immediate attention.

AWS IAM users page

Though we can find the status of users with no MFA enabled in the IAM page, it’s tedious to check each line (of users). AWS provides an option to export the details to csv, but it involves lot of manual work.

To overcome this issue, I created a python script using boto3 which will automatically print out the list of users, whom having AWS console access but MFA not enabled.

Boto3 script

First, the script will get the users in your IAM and storing it in ‘DETAILS’ variable.The output will be of dict format, so we’re iterating over the DETAILS[‘Users’] and passing each username to get_login function.

The get_login function checks whether user has login profile aka console access. If exists, call the get_mfa function passing the username as an argument. The get_mfa function lists the MFA details of the user, checks if any MFA devices exist for his account. If it doesn’t exist, then print the username as ‘MFA not enabled: username’

Github link: https://github.com/kannan-ak/boto3/blob/master/list_no_mfa_users.py

""" This script will print the list of IAM users who have console access but MFA not enabled.
Author: Kannan Anandakrishnan
Requirements: boto3 package installed, aws credentials configured.
"""

# Importing boto3 client
import boto3

# Creating boto3 handle for iam resource
IAM_CLIENT = boto3.client('iam')

def get_login(user):
    
""" Checks whether user has login profile (console access). If exists, calls get_mfa func. If no login profile exists, we will get NoSuchEntityException. Catch the error and pass.
        Parameters: user (string): Username of IAM user
    """

    try:
        response = IAM_CLIENT.get_login_profile(UserName=user)
        if response['LoginProfile']['UserName'] == user:
            get_mfa(user)
    except IAM_CLIENT.exceptions.NoSuchEntityException:
        pass

def get_mfa(user):

    """ Check the mfa devices attached to the user. If no mfa exists, print MFA not enabled.
        Parameters: user (string): Username of IAM user who has login profile enabled.
    """

    response = IAM_CLIENT.list_mfa_devices(UserName=user)
    if response['MFADevices'] != [] and "mfa" in response['MFADevices'][0]['SerialNumber']:
        pass
    else:
        print("MFA not enabled: {}".format(user))

if __name__ == '__main__':
# Use boto3 paginator option if number of users is very high. 
    DETAILS = IAM_CLIENT.list_users(MaxItems=250)
    for user_detail in DETAILS['Users']:
        get_login(user_detail['UserName'])

Ref: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html

Leave a Reply

Your email address will not be published. Required fields are marked *