Hello,
I have seen and invested some time in the AWS SSO setup, but while reading terraform documentation including forum posts I noticed that the MFA is a MUST and terraform cannot be ran/executed without it or at least I could not see such an option from what I was able to dig up around.
In this case shouldn’t the SSO also be as secure as the MFA as (ofc depending on the settings), but you can set the “Token Session = *******************” to expire in at least 1 hour, up to 36 hours or so. That means that after the “X” time set for the Token Session you will be asked either to edit your config file or re-type the Session Token when you try to run a plan/apply/init and etc. As we all are trying to evolve and manage things in 1 place rather than 55 different places (user management wise) when we are talking about a large organization, moving to an SSO does the trick, but some users won’t be able to convert to it if terraform requires only an MFA and cannot work with Token Sessions instead.
Looking forward to any suggestions and ideas.