在某些AWS Cli操作上提示MFA代码

时间:2017-12-27 11:54:06

标签: amazon-web-services amazon-iam aws-cli

我们强制MFA进行AWS Web控制台访问。但我也想要一些aws动作提示输入MFA代码。

{
  "name": "example",
  "version": "1.0.0",
  "description": "A Vue.js project",
  "author": "",
  "private": true,
  "scripts": {
    "dev": "webpack-dev-server --inline --progress --config build/webpack.dev.conf.js",
    "start": "npm run dev",
    "build": "node build/build.js"
  },
  "dependencies": {
    "vue": "^2.5.2",
    "vue-custom-element": "^2.0.0"
  },
  "devDependencies": {
    "autoprefixer": "^7.1.2",
    "babel-core": "^6.22.1",
    "babel-helper-vue-jsx-merge-props": "^2.0.3",
    "babel-loader": "^7.1.1",
    "babel-plugin-syntax-jsx": "^6.18.0",
    "babel-plugin-transform-runtime": "^6.22.0",
    "babel-plugin-transform-vue-jsx": "^3.5.0",
    "babel-preset-env": "^1.3.2",
    "babel-preset-stage-2": "^6.22.0",
    "chalk": "^2.0.1",
    "copy-webpack-plugin": "^4.0.1",
    "css-loader": "^0.28.0",
    "extract-text-webpack-plugin": "^3.0.0",
    "file-loader": "^1.1.4",
    "friendly-errors-webpack-plugin": "^1.6.1",
    "html-webpack-plugin": "^2.30.1",
    "node-notifier": "^5.1.2",
    "optimize-css-assets-webpack-plugin": "^3.2.0",
    "ora": "^1.2.0",
    "portfinder": "^1.0.13",
    "postcss-import": "^11.0.0",
    "postcss-loader": "^2.0.8",
    "rimraf": "^2.6.0",
    "semver": "^5.3.0",
    "shelljs": "^0.7.6",
    "uglifyjs-webpack-plugin": "^1.1.1",
    "url-loader": "^0.5.8",
    "vue-loader": "^13.3.0",
    "vue-style-loader": "^3.0.1",
    "vue-template-compiler": "^2.5.2",
    "webpack": "^3.6.0",
    "webpack-bundle-analyzer": "^2.9.0",
    "webpack-dev-server": "^2.9.1",
    "webpack-merge": "^4.1.0"
  },
  "engines": {
    "node": ">= 4.0.0",
    "npm": ">= 3.0.0"
  },
  "browserslist": [
    "> 1%",
    "last 2 versions",
    "not ie <= 8"
  ]
}

这可能吗?

2 个答案:

答案 0 :(得分:1)

您应该能够在相关API操作上添加MFA条件。例如,这是一个允许承载者自由调用EC2操作的IAM策略,但在调用StopInstances或TerminateInstances时需要MFA。

{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Action": ["ec2:*"],
    "Resource": ["*"]
  },{
    "Effect": "Deny",
    "Action": ["ec2:StopInstances", "ec2:TerminateInstances"],
    "Resource": ["*"],
    "Condition": {"BoolIfExists": {"aws:MultiFactorAuthPresent": false}}
  }]
}

有关更详细的示例,请参阅here

答案 1 :(得分:1)

确切的用例是不可能的。但是,您可以提供必要的许可,例如StopInstances到IAM角色并仅授予IAM用户权限以承担角色if and only if the user uses MFA。角色的信任政策如下:

{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Principal": { "AWS": "arn:aws:iam::123456789012:root" },
    "Action": "sts:AssumeRole",
    "Condition": { "Bool": { "aws:MultiFactorAuthPresent": "true" } }
  }
}

因此,在使用控制台时,IAM用户将使用凭据和MFA令牌登录,并且可以承担停止实例的角色。

使用CLI时,您可以使用named profiles with "mfa_serial"变量,当用户尝试使用命名的profile参数停止实例时,CLI将要求输入MFA代码(请注意,返回的凭据将被缓存在CLI)。

或者,您可以使用jarmod提供的建议并使用自定义脚本,因为您需要调用GetSessionToken并传递MFA令牌。有一个示例Python和C#脚本here

相关问题
最新问题