Is it possible on AWS to enforce MFA on group level (e.g. for all with administrator rights)?

Question

Is it possible to create an IAM rule or an SCP (organization rule) to enforce MFA for all users in a certain group or with certain rights (e.g. administrators or power user)?

Answer 1

To the best of my knowledge you can attach a deny portion to any policy or create a deny policy and attach it to any group.

For example you have "Administrators" group that has many roles added as well as "MultifactorAuthForce" policy:

Example of "MultifactorAuthForce":

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "DenyAllWithoutMFA",
            "Effect": "Deny",
            "Action": "*",
            "Resource": "*",
            "Condition": {
                "BoolIfExists": {
                    "aws:MultiFactorAuthPresent": "false"
                }
            }
        }
    ]
}

Update: Just tested it on my account and the policy works. Created an account without MFA, added password and assigned to the group above. When logged as that user I was denied all actions on all resources. After, I added MFA to the user and logged in again. I was able to see the resources.