What AWS control can ensure multi-factor authentication (MFA) is required for all IAM users and roles?

To ensure multi-factor authentication (MFA) is required for all IAM users and roles, service control policies (SCPs) are the appropriate AWS control to use. SCPs are a feature of AWS Organizations that enable you to manage permissions across multiple AWS accounts within an organization.

By defining an SCP that enforces MFA, you can restrict access to sensitive resources or actions by requiring that IAM roles and users authenticate with a second factor beyond just a password. This adds an additional layer of security to your cloud environment, helping to prevent unauthorized access even if someone’s password is compromised.

identity policies, which are attached to IAM users and roles, can dictate access to specific AWS services, actions, and resources but do not inherently enforce MFA as a requirement. Access control lists (ACLs) and resource-based policies primarily control access to resources like S3 buckets or IAM resources but do not apply to enforcing authentication methods like MFA.

In summary, by leveraging SCPs, organizations can ensure that MFA is not only encouraged but required for all IAM roles and users, thus enhancing their overall security posture.