Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to check whether MFA is enabled for root account in AWS using boto?

I am working on trusted advisor and need to check whether MFA is enabled for root level also? Its in Security section of Trusted advisor Dashboard. I am working in Python using Boto.

like image 975
upaang saxena Avatar asked Mar 30 '15 06:03

upaang saxena


People also ask

How do you check if MFA is enabled for a user in AWS?

To check the MFA status of IAM usersOpen the IAM console at https://console.aws.amazon.com/iam/ . In the navigation pane, choose Users. The MFA column tells you about the MFA device that is enabled. If no MFA device is active for the user, the console displays None.

How can you quickly determine which of your IAM users have configured multi-factor authentication MFA )?

You can identify the users in your account with an assigned SMS MFA device. To do so, go to the IAM console, choose Users from the navigation pane, and look for users with SMS in the MFA column of the table.

How do you enable MFA with IAM users?

Using AWS Console 04 Click on the name of the Amazon IAM user that you want to examine. 05 Select the Security credentials tab to access the configuration information available for the IAM user credentials. 06 In the Sign-in credentials section, check the Assigned MFA device attribute value.


2 Answers

You would use the GetAccountSummary API call in IAM which is available as the get_account_summary method call in boto.iam.IAMConnection.

import boto.iam
conn = boto.iam.connect_to_region('us-east-1')
summary = conn.get_account_summary()

This returns a Python dictionary containing a lot of information about your account. Specifically, to find out if MFA is enabled;

if summary['AccountMFAEnabled']:
    # MFA is enabled
else:
    # MFA is not enabled
like image 171
garnaat Avatar answered Sep 27 '22 15:09

garnaat


This answer updates to boto3 and assumes that you have only one account configured in your ~/.aws/config or ~/.aws/credentials file:

import boto3

client = boto3.client('iam')

if client.get_account_summary()['SummaryMap']['AccountMFAEnabled']:
    root_has_mfa = True
else:
    root_has_mfa = False

If you'd prefer to have the dictionary that get_account_summary returns, you can do that too:

import boto3

client = boto3.client('iam')

summary = client.get_account_summary()['SummaryMap']

if summary['AccountMFAEnabled']:
    root_has_mfa = True
else:
    root_has_mfa = False
like image 22
eatsfood Avatar answered Sep 27 '22 17:09

eatsfood