Synopsis
Use IAM policy that enforces multi-factor authentication (MFA) to restrict access to (almost) all AWS resources on the users whose MFA is not turned on.
Example
The complete policy can be found on AWS: Allows MFA-authenticated IAM users to manage their own credentials on the My Security Credentials page.
To let users that have not set up MFA change their password, I'd put "iam:ChangePassword" in "DenyAllExceptListedIfNoMFA"'s "NotAction" list:
{
"Version": "2012-10-17",
"Statement": [
// ...omitted
{
"Sid": "DenyAllExceptListedIfNoMFA",
"Effect": "Deny",
"NotAction": [
"iam:CreateVirtualMFADevice",
"iam:EnableMFADevice",
"iam:GetUser",
"iam:ListMFADevices",
"iam:ListVirtualMFADevices",
"iam:ResyncMFADevice",
"sts:GetSessionToken",
"iam:ChangePassword"
],
"Resource": "*",
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "false"
}
}
}
]
}