Last active
April 2, 2020 20:02
-
-
Save incyclum/7847f77e7875a9c31a29adef8a3f91d8 to your computer and use it in GitHub Desktop.
AWS IAM Policy - Force MFA - This policy allows users to manage their own passwords and MFA devices but nothing else unless they authenticate with MFA -- *EDIT*: I forgot where I found it in the 1st place. In fact this policy is explained statement by statement in AWS docs: https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_users-self-man…
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "Version": "2012-10-17", | |
| "Statement": [ | |
| { | |
| "Sid": "AllowAllUsersToListAccounts", | |
| "Effect": "Allow", | |
| "Action": [ | |
| "iam:ListAccountAliases", | |
| "iam:ListUsers", | |
| "iam:GetAccountPasswordPolicy", | |
| "iam:GetAccountSummary" | |
| ], | |
| "Resource": "*" | |
| }, | |
| { | |
| "Sid": "AllowIndividualUserToSeeAndManageOnlyTheirOwnAccountInformation", | |
| "Effect": "Allow", | |
| "Action": [ | |
| "iam:CreateAccessKey", | |
| "iam:DeleteAccessKey", | |
| "iam:DeleteLoginProfile", | |
| "iam:GetLoginProfile", | |
| "iam:ListAccessKeys", | |
| "iam:UpdateAccessKey", | |
| "iam:UpdateLoginProfile", | |
| "iam:ListSigningCertificates", | |
| "iam:DeleteSigningCertificate", | |
| "iam:UpdateSigningCertificate", | |
| "iam:UploadSigningCertificate", | |
| "iam:ListSSHPublicKeys", | |
| "iam:GetSSHPublicKey", | |
| "iam:DeleteSSHPublicKey", | |
| "iam:UpdateSSHPublicKey", | |
| "iam:UploadSSHPublicKey" | |
| ], | |
| "Resource": "arn:aws:iam::*:user/${aws:username}" | |
| }, | |
| { | |
| "Sid": "AllowIndividualUserToListOnlyTheirOwnMFA", | |
| "Effect": "Allow", | |
| "Action": [ | |
| "iam:ListVirtualMFADevices", | |
| "iam:ListMFADevices" | |
| ], | |
| "Resource": [ | |
| "arn:aws:iam::*:mfa/*", | |
| "arn:aws:iam::*:user/${aws:username}" | |
| ] | |
| }, | |
| { | |
| "Sid": "AllowIndividualUserToManageTheirOwnMFA", | |
| "Effect": "Allow", | |
| "Action": [ | |
| "iam:CreateVirtualMFADevice", | |
| "iam:DeleteVirtualMFADevice", | |
| "iam:EnableMFADevice", | |
| "iam:ResyncMFADevice" | |
| ], | |
| "Resource": [ | |
| "arn:aws:iam::*:mfa/${aws:username}", | |
| "arn:aws:iam::*:user/${aws:username}" | |
| ] | |
| }, | |
| { | |
| "Sid": "AllowIndividualUserToDeactivateOnlyTheirOwnMFAOnlyWhenUsingMFA", | |
| "Effect": "Allow", | |
| "Action": [ | |
| "iam:DeactivateMFADevice" | |
| ], | |
| "Resource": [ | |
| "arn:aws:iam::*:mfa/${aws:username}", | |
| "arn:aws:iam::*:user/${aws:username}" | |
| ], | |
| "Condition": { | |
| "Bool": { | |
| "aws:MultiFactorAuthPresent": "true" | |
| } | |
| } | |
| }, | |
| { | |
| "Sid": "BlockMostAccessUnlessSignedInWithMFA", | |
| "Effect": "Deny", | |
| "NotAction": [ | |
| "iam:ChangePassword", | |
| "iam:CreateLoginProfile", | |
| "iam:CreateVirtualMFADevice", | |
| "iam:DeleteVirtualMFADevice", | |
| "iam:ListVirtualMFADevices", | |
| "iam:EnableMFADevice", | |
| "iam:ResyncMFADevice", | |
| "iam:ListAccountAliases", | |
| "iam:ListUsers", | |
| "iam:ListSSHPublicKeys", | |
| "iam:ListAccessKeys", | |
| "iam:ListServiceSpecificCredentials", | |
| "iam:ListMFADevices", | |
| "iam:GetAccountSummary", | |
| "sts:GetSessionToken" | |
| ], | |
| "Resource": "*", | |
| "Condition": { | |
| "BoolIfExists": { | |
| "aws:MultiFactorAuthPresent": "false" | |
| } | |
| } | |
| } | |
| ] | |
| } |
Some people pointed out the original source of that policy (https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_users-self-manage-mfa-and-creds.html) and they're right I remember that I found it here times ago. Credit where credit is due 😅.
Very nice. There are some problems here - 1) you require MFA to delete MFA. The use case for deleting MFA is... losing your phone, for example. If you want to enable self-service, you can move the user to a crippled group, incorporating some of the policy you have above. I do this with a Lambda function that checks for the association of an MFA with the user. Move users in and out of the crippled group appropriately. 2) you make assumptions about paths (maybe you don't use them, but I do), so something like this is recommended
"Resource": [
"arn:aws:iam::*:mfa/${aws:username}",
"arn:aws:iam::*:user/${aws:username}",
"arn:aws:iam::*:user/*/${aws:username}"
],
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This will be very handy; thank you.