Ensure MFA is Required for Third Party IAM Roles with Cross-Account Access


IAM roles in AWS can be assumed by entities outside of your AWS account, such as third-party accounts or AWS services. This is often referred to as cross-account access. It's crucial to ensure that any such cross-account access is secure. Requiring Multi-Factor Authentication (MFA) for these IAM roles adds an additional layer of security, ensuring that only authenticated and authorized entities can assume the roles.


1. Identify IAM Roles with Cross-Account Access:

AWS Management Console:
  • Navigate to the IAM Console.
  • In the navigation pane, choose Roles.
  • Review the roles and their trust relationships. Identify roles that allow cross-account access. You can identify them by seeing if the trust relationship has a "sts:AssumeRoleWithWebIdentity" or "sts:AssumeRole" action with a principal from another AWS account.

2. Update Trust Policies to Require MFA:

For each identified role:

  • Modify the trust policy to include a condition that checks for MFA before the role can be assumed.

The trust policy should look something like this:

  "Version": "2012-10-17",
  "Statement": [
      "Effect": "Allow",
      "Principal": { "AWS": "arn:aws:iam::THIRD_PARTY_ACCOUNT_ID:root" },
      "Action": "sts:AssumeRole",
      "Condition": {
        "Bool": { "aws:MultiFactorAuthPresent": "true" }
AWS Management Console:
  • In the IAM Console, select the identified role.
  • Under the Trust relationships tab, choose Edit trust relationship.
  • Update the JSON policy to include the MFA condition mentioned above.

3. Inform Third Parties:

Ensure that third-party entities are informed about the MFA requirement so they can configure their access accordingly.

4. Regularly Audit IAM Roles:

  • Periodically review IAM roles and their trust relationships to ensure that any new roles with cross-account access also require MFA.


Requiring MFA for IAM roles with cross-account access is a robust security measure that significantly reduces the risk of unauthorized access. Always ensure that any IAM role which can be assumed by entities outside of your AWS account has MFA enforced. Additionally, maintain open communication with third parties to ensure they are aware of and can comply with your security requirements.