Use IAM policy that enforces multi-factor authentication (MFA) to restrict access to (almost) all AWS resources on the users whose MFA is not turned on.


The complete policy can be found on AWS: Allows MFA-authenticated IAM users to manage their own credentials on the My Security Credentials page.

To let users that have not set up MFA change their password, I’d put "iam:ChangePassword" in "DenyAllExceptListedIfNoMFA"’s "NotAction" list:

    "Version": "2012-10-17",
    "Statement": [
        // ...omitted
            "Sid": "DenyAllExceptListedIfNoMFA",
            "Effect": "Deny",
            "NotAction": [
            "Resource": "*",
            "Condition": {
                "BoolIfExists": {
                    "aws:MultiFactorAuthPresent": "false"