我希望强制所有IAM用户(本地和远程)启用和激活他们的MFA设备。 我希望他们都能让MFA完成各自的任务。
我正在尝试以下政策
{
"Effect": "Allow",
"Action": "*",
"Resource": "*",
"Condition": {"Bool": {"aws:MultiFactorAuthPresent": "true"}}
}
然而;无论您如何通过控制台或通过API访问服务,此政策都适用
由于没有暗示MFA身份验证,所有用户都会自动完成许多自动化操作并实现自动化。
作为第一步,我们希望每个人至少能够通过MFA进行控制台登录;但同样不应强制它们将MFA用于自动化中使用的API调用。
这可以通过IAM政策实现吗?
由于
答案 0 :(得分:19)
诀窍是反转检查...而不是仅仅允许如果aws:MultiFactorAuthPresent为true,否则判断它是否为假。
以下是有关自助服务MFA管理的文档:http://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_users-self-manage-mfa-and-creds.html
建议的完整政策是:
{
"Version": "2012-10-17",
"Statement":[
{
"Sid": "AllowAllUsersToListAccounts",
"Effect": "Allow",
"Action":[
"iam:ListAccountAliases",
"iam:ListUsers",
"iam:GetAccountSummary"
],
"Resource": "*"
},
{
"Sid": "AllowIndividualUserToSeeAndManageTheirOwnAccountInformation",
"Effect": "Allow",
"Action":[
"iam:ChangePassword",
"iam:CreateAccessKey",
"iam:CreateLoginProfile",
"iam:DeleteAccessKey",
"iam:DeleteLoginProfile",
"iam:GetAccountPasswordPolicy",
"iam:GetLoginProfile",
"iam:ListAccessKeys",
"iam:UpdateAccessKey",
"iam:UpdateLoginProfile",
"iam:ListSigningCertificates",
"iam:DeleteSigningCertificate",
"iam:UpdateSigningCertificate",
"iam:UploadSigningCertificate",
"iam:ListSSHPublicKeys",
"iam:GetSSHPublicKey",
"iam:DeleteSSHPublicKey",
"iam:UpdateSSHPublicKey",
"iam:UploadSSHPublicKey"
],
"Resource": "arn:aws:iam::accountid:user/${aws:username}"
},
{
"Sid": "AllowIndividualUserToListTheirOwnMFA",
"Effect": "Allow",
"Action":[
"iam:ListVirtualMFADevices",
"iam:ListMFADevices"
],
"Resource":[
"arn:aws:iam::accountid:mfa/*",
"arn:aws:iam::accountid:user/${aws:username}"
]
},
{
"Sid": "AllowIndividualUserToManageTheirOwnMFA",
"Effect": "Allow",
"Action":[
"iam:CreateVirtualMFADevice",
"iam:DeactivateMFADevice",
"iam:DeleteVirtualMFADevice",
"iam:RequestSmsMfaRegistration",
"iam:FinalizeSmsMfaRegistration",
"iam:EnableMFADevice",
"iam:ResyncMFADevice"
],
"Resource":[
"arn:aws:iam::accountid:mfa/${aws:username}",
"arn:aws:iam::accountid:user/${aws:username}"
]
},
{
"Sid": "BlockAnyAccessOtherThanAboveUnlessSignedInWithMFA",
"Effect": "Deny",
"NotAction": "iam:*",
"Resource": "*",
"Condition":{
"BoolIfExists":{ "aws:MultiFactorAuthPresent": "false"}
}
}
]
}
最重要的部分是最后一个声明,即拒绝。如果你改成它:
{
"Sid": "BlockAnyAccessOtherThanAboveUnlessSignedInWithMFA",
"Effect": "Deny",
"NotAction": "iam:*",
"Resource": "*",
"Condition":{
"Bool":{ "aws:MultiFactorAuthPresent": "false"}
}
}
(BoolIfExists更改为Bool)它将允许IAM访问密钥绕过MFA的要求,同时仍然要求您在通过AWS控制台登录时使用MFA。
如果您决定使用文档中的完整策略,请务必小心。请注意,它允许用户创建访问密钥并更改其密码,而deny子句仅阻止非IAM操作...这意味着,如果在帐户上禁用MFA,则可以更改用户的密码或者可以在没有MFA检查的情况下配置新的访问密钥,如果您更改了Bool,那么这些新的访问密钥将能够访问用户拥有权限的任何内容,而无需MFA。 I.E.,不安全密钥的所有安全漏洞,有可能在帐户上劫持。
我建议改用类似的政策:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAllUsersToListAccounts",
"Effect": "Allow",
"Action": [
"iam:ListAccountAliases",
"iam:ListUsers"
],
"Resource": [
"arn:aws:iam::accountid:user/*"
]
},
{
"Sid": "AllowIndividualUserToSeeTheirAccountInformation",
"Effect": "Allow",
"Action": [
"iam:GetAccountPasswordPolicy",
"iam:GetAccountSummary",
"iam:GetLoginProfile"
],
"Resource": [
"arn:aws:iam::accountid:user/${aws:username}"
]
},
{
"Sid": "AllowIndividualUserToListTheirMFA",
"Effect": "Allow",
"Action": [
"iam:ListVirtualMFADevices",
"iam:ListMFADevices"
],
"Resource": [
"arn:aws:iam::accountid:mfa/*",
"arn:aws:iam::accountid:user/${aws:username}"
]
},
{
"Sid": "AllowIndividualUserToManageThierMFA",
"Effect": "Allow",
"Action": [
"iam:CreateVirtualMFADevice",
"iam:DeactivateMFADevice",
"iam:DeleteVirtualMFADevice",
"iam:EnableMFADevice",
"iam:ResyncMFADevice"
],
"Resource": [
"arn:aws:iam::accountid:mfa/${aws:username}",
"arn:aws:iam::accountid:user/${aws:username}"
]
},
{
"Sid": "DoNotAllowAnythingOtherThanAboveUnlessMFAd",
"Effect": "Deny",
"NotAction": "iam:*",
"Resource": "*",
"Condition": {
"Bool": {
"aws:MultiFactorAuthPresent": "false"
}
}
}
]
}
答案 1 :(得分:5)
为后代发帖。 我尝试使用Josh Hancock发布的方法,但强制控制台MFA帐户的api调用失败了一些AWS服务,如弹性文件系统和一些s3 api调用。 在提出支持服务单时,来自AWS的响应是,"有针对此精确问题的功能请求,因为目前没有可靠的机制来仅为控制台强制执行MFA。我已将您的帐户添加到此功能请求的请求帐户列表中。遗憾的是,除了在任何地方启用MFA之外,我没有可靠的解决方法,或者只将IAM MFA策略应用于仅限控制台的用户。"
答案 2 :(得分:4)
为每个人创建2个IAM用户:
答案 3 :(得分:1)
对于您的用例,仅为IAM用户激活MFA设备就足够了。这将要求用户在登录AWS管理控制台时提供MFA代码,但不能用于AWS API调用。
只有在您还要为API调用强制执行MFA时,才需要使用“MultiFactorAuthPresent”条件编写IAM策略。
顺便说一句,在AWS论坛上发布与AWS相关的问题(https://forums.aws.amazon.com/index.jspa)是获得回复的好方法。
答案 4 :(得分:0)
我有不同的解决方案。我有一个“ MFA Jail”组,除非您启用了MFA,否则该组不允许您执行任何操作(分配MFA除外)。我有一个每小时运行一次的小脚本,它扫描所有用户并将没有MFA的所有用户添加到“ MFA Jail”。相同的脚本还会从监狱中删除启用了MFA的用户。这样,我强迫人们启用MFA,但不需要MFA进行API调用。
如果其他人感兴趣,我会发布脚本。