我们强制MFA进行AWS Web控制台访问。但我也想要一些aws动作提示输入MFA代码。
{
"name": "example",
"version": "1.0.0",
"description": "A Vue.js project",
"author": "",
"private": true,
"scripts": {
"dev": "webpack-dev-server --inline --progress --config build/webpack.dev.conf.js",
"start": "npm run dev",
"build": "node build/build.js"
},
"dependencies": {
"vue": "^2.5.2",
"vue-custom-element": "^2.0.0"
},
"devDependencies": {
"autoprefixer": "^7.1.2",
"babel-core": "^6.22.1",
"babel-helper-vue-jsx-merge-props": "^2.0.3",
"babel-loader": "^7.1.1",
"babel-plugin-syntax-jsx": "^6.18.0",
"babel-plugin-transform-runtime": "^6.22.0",
"babel-plugin-transform-vue-jsx": "^3.5.0",
"babel-preset-env": "^1.3.2",
"babel-preset-stage-2": "^6.22.0",
"chalk": "^2.0.1",
"copy-webpack-plugin": "^4.0.1",
"css-loader": "^0.28.0",
"extract-text-webpack-plugin": "^3.0.0",
"file-loader": "^1.1.4",
"friendly-errors-webpack-plugin": "^1.6.1",
"html-webpack-plugin": "^2.30.1",
"node-notifier": "^5.1.2",
"optimize-css-assets-webpack-plugin": "^3.2.0",
"ora": "^1.2.0",
"portfinder": "^1.0.13",
"postcss-import": "^11.0.0",
"postcss-loader": "^2.0.8",
"rimraf": "^2.6.0",
"semver": "^5.3.0",
"shelljs": "^0.7.6",
"uglifyjs-webpack-plugin": "^1.1.1",
"url-loader": "^0.5.8",
"vue-loader": "^13.3.0",
"vue-style-loader": "^3.0.1",
"vue-template-compiler": "^2.5.2",
"webpack": "^3.6.0",
"webpack-bundle-analyzer": "^2.9.0",
"webpack-dev-server": "^2.9.1",
"webpack-merge": "^4.1.0"
},
"engines": {
"node": ">= 4.0.0",
"npm": ">= 3.0.0"
},
"browserslist": [
"> 1%",
"last 2 versions",
"not ie <= 8"
]
}
这可能吗?
答案 0 :(得分:1)
您应该能够在相关API操作上添加MFA条件。例如,这是一个允许承载者自由调用EC2操作的IAM策略,但在调用StopInstances或TerminateInstances时需要MFA。
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": ["ec2:*"],
"Resource": ["*"]
},{
"Effect": "Deny",
"Action": ["ec2:StopInstances", "ec2:TerminateInstances"],
"Resource": ["*"],
"Condition": {"BoolIfExists": {"aws:MultiFactorAuthPresent": false}}
}]
}
有关更详细的示例,请参阅here。
答案 1 :(得分:1)
确切的用例是不可能的。但是,您可以提供必要的许可,例如StopInstances到IAM角色并仅授予IAM用户权限以承担角色if and only if the user uses MFA。角色的信任政策如下:
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Principal": { "AWS": "arn:aws:iam::123456789012:root" },
"Action": "sts:AssumeRole",
"Condition": { "Bool": { "aws:MultiFactorAuthPresent": "true" } }
}
}
因此,在使用控制台时,IAM用户将使用凭据和MFA令牌登录,并且可以承担停止实例的角色。
使用CLI时,您可以使用named profiles with "mfa_serial"变量,当用户尝试使用命名的profile参数停止实例时,CLI将要求输入MFA代码(请注意,返回的凭据将被缓存在CLI)。
或者,您可以使用jarmod提供的建议并使用自定义脚本,因为您需要调用GetSessionToken并传递MFA令牌。有一个示例Python和C#脚本here。