diff --git a/api/middleware/policy.go b/api/middleware/policy.go
index 5953f01e..f1c1f320 100644
--- a/api/middleware/policy.go
+++ b/api/middleware/policy.go
@@ -464,6 +464,7 @@ func determineProperties(r *http.Request, decoder XMLDecoder, resolver BucketRes
 		res[k] = v
 	}
 
+	res[s3.PropertyKeyAccessBoxAttrMFA] = "false"
 	attrs, err := GetAccessBoxAttrs(r.Context())
 	if err == nil {
 		for _, attr := range attrs {
diff --git a/api/router_test.go b/api/router_test.go
index c181c535..6ca91a0d 100644
--- a/api/router_test.go
+++ b/api/router_test.go
@@ -636,6 +636,26 @@ func TestSourceIPCheck(t *testing.T) {
 	createBucket(router, ns, bktName)
 }
 
+func TestMFAPolicy(t *testing.T) {
+	router := prepareRouter(t)
+
+	ns, bktName := "", "bucket"
+	router.middlewareSettings.denyByDefault = true
+
+	allowOperations(router, ns, []string{"s3:CreateBucket"}, nil)
+	denyOperations(router, ns, []string{"s3:CreateBucket"}, engineiam.Conditions{
+		engineiam.CondBool: engineiam.Condition{s3.PropertyKeyAccessBoxAttrMFA: []string{"false"}},
+	})
+	createBucketErr(router, ns, bktName, nil, apiErrors.ErrAccessDenied)
+
+	var attr object.Attribute
+	attr.SetKey("IAM-MFA")
+	attr.SetValue("true")
+	router.cfg.Center.(*centerMock).attrs = []object.Attribute{attr}
+
+	createBucket(router, ns, bktName)
+}
+
 func allowOperations(router *routerMock, ns string, operations []string, conditions engineiam.Conditions) {
 	addPolicy(router, ns, "allow", engineiam.AllowEffect, operations, conditions)
 }