list_users_without_mfa
Identify IAM users without MFA enabled to enhance AWS account security by detecting potential vulnerabilities.
Instructions
Lists IAM users who do not have MFA enabled.
Input Schema
TableJSON Schema
| Name | Required | Description | Default |
|---|---|---|---|
No arguments | |||
Implementation Reference
- src/index.ts:1133-1162 (handler)The main handler logic for the 'list_users_without_mfa' tool. It lists all IAM users and checks each for attached MFA devices using ListMFADevicesCommand, collecting those without MFA.if (name === "list_users_without_mfa") { const listCmd = new ListUsersCommand({}); const listResp = await iamClient.send(listCmd); const users = listResp.Users || []; const noMfaUsers = []; // Checking users sequentially to avoid rate limiting for (const user of users) { if (!user.UserName) continue; try { const mfaCmd = new ListMFADevicesCommand({ UserName: user.UserName }); const mfaResp = await iamClient.send(mfaCmd); if (!mfaResp.MFADevices || mfaResp.MFADevices.length === 0) { noMfaUsers.push({ UserName: user.UserName, UserId: user.UserId, CreateDate: user.CreateDate, PasswordLastUsed: user.PasswordLastUsed }); } } catch (err) { // Ignore errors (e.g. AccessDenied) } } return { content: [{ type: "text", text: JSON.stringify(noMfaUsers, null, 2) }] }; }
- src/index.ts:350-356 (registration)Registration of the 'list_users_without_mfa' tool in the ListTools response, including its name, description, and empty input schema.{ name: "list_users_without_mfa", description: "Lists IAM users who do not have MFA enabled.", inputSchema: { type: "object", properties: {} }
- src/index.ts:352-355 (schema)Input schema for the tool, which takes no parameters.description: "Lists IAM users who do not have MFA enabled.", inputSchema: { type: "object", properties: {}