- 新しい順
- 投票が多い順
- コメントが多い順
Hello.
It is possible to configure SCP to disallow IAM users who do not have MFA set.
If the following SCP is set, IAM users will not be able to operate any resources other than those related to IAM without using MFA.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowViewAccountInfo",
"Effect": "Allow",
"Action": [
"iam:GetAccountPasswordPolicy",
"iam:GetAccountSummary",
"iam:ListVirtualMFADevices"
],
"Resource": "*"
},
{
"Sid": "AllowManageOwnPasswords",
"Effect": "Allow",
"Action": [
"iam:ChangePassword",
"iam:GetUser",
"iam:CreateLoginProfile",
"iam:DeleteLoginProfile",
"iam:GetLoginProfile",
"iam:UpdateLoginProfile"
],
"Resource": "*"
},
{
"Sid": "AllowManageOwnAccessKeys",
"Effect": "Allow",
"Action": [
"iam:CreateAccessKey",
"iam:DeleteAccessKey",
"iam:ListAccessKeys",
"iam:UpdateAccessKey"
],
"Resource": "*"
},
{
"Sid": "AllowManageOwnSigningCertificates",
"Effect": "Allow",
"Action": [
"iam:DeleteSigningCertificate",
"iam:ListSigningCertificates",
"iam:UpdateSigningCertificate",
"iam:UploadSigningCertificate"
],
"Resource": "*"
},
{
"Sid": "AllowManageOwnSSHPublicKeys",
"Effect": "Allow",
"Action": [
"iam:DeleteSSHPublicKey",
"iam:GetSSHPublicKey",
"iam:ListSSHPublicKeys",
"iam:UpdateSSHPublicKey",
"iam:UploadSSHPublicKey"
],
"Resource": "*"
},
{
"Sid": "AllowManageOwnGitCredentials",
"Effect": "Allow",
"Action": [
"iam:CreateServiceSpecificCredential",
"iam:DeleteServiceSpecificCredential",
"iam:ListServiceSpecificCredentials",
"iam:ResetServiceSpecificCredential",
"iam:UpdateServiceSpecificCredential"
],
"Resource": "*"
},
{
"Sid": "AllowManageOwnVirtualMFADevice",
"Effect": "Allow",
"Action": [
"iam:CreateVirtualMFADevice",
"iam:DeleteVirtualMFADevice"
],
"Resource": "*"
},
{
"Sid": "AllowManageOwnUserMFA",
"Effect": "Allow",
"Action": [
"iam:DeactivateMFADevice",
"iam:EnableMFADevice",
"iam:ListMFADevices",
"iam:ResyncMFADevice"
],
"Resource": "*"
},
{
"Sid": "DenyAllExceptListedIfNoMFA",
"Effect": "Deny",
"NotAction": [
"iam:CreateVirtualMFADevice",
"iam:EnableMFADevice",
"iam:ChangePassword",
"iam:GetUser",
"iam:CreateLoginProfile",
"iam:DeleteLoginProfile",
"iam:GetLoginProfile",
"iam:UpdateLoginProfile",
"iam:ListMFADevices",
"iam:ListVirtualMFADevices",
"iam:ResyncMFADevice",
"iam:DeleteVirtualMFADevice",
"sts:GetSessionToken"
],
"Resource": "*",
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "false"
},
"StringLike": {
"aws:PrincipalArn": [
"arn:aws:iam::*:user/*"
]
}
}
}
]
}
For SSO users, the following procedure can be used to enforce this.
https://docs.aws.amazon.com/singlesignon/latest/userguide/how-to-configure-mfa-device-enforcement.html
This SCP does not works at all! I have just deployed it, tested with a localuser created withoutMFA attached AdminPolicy. I also tried at least 3 different versions to EnforceMFA for our organization: including the following: { "Version": "2012-10-17", "Statement": [ { "Sid": "AllowManageOwnUserMFA", "Effect": "Deny", "Action": [ "iam:ListMFADevices", "iam:DeactivateMFADevice", "iam:DeleteVirtualMFADevice" ], "Resource": "", "Condition": { "StringLike": { "aws:PrincipalArn": "arn:aws:iam:::user/" } } }, { "Sid": "DenyAllExceptListedIfNoMFA", "Effect": "Deny", "NotAction": [ "iam:CreateVirtualMFADevice", "iam:EnableMFADevice", "iam:GetUser", "iam:ListMFADevices", "iam:ListVirtualMFADevices", "iam:ResyncMFADevice", "sts:GetSessionToken" ], "Resource": "", "Condition": { "StringLike": { "aws:PrincipalArn": "arn:aws:iam:::user/" }, "BoolIfExists": { "aws:MultiFactorAuthPresent": "false" } } } ] }
If you use SSO in IAM Identity Center, under authentication you can configure MFA requirements.
Only in internal SSO IDP for AWS. External IDP's simple not supported with MFA. ( example: Azure, or anything which is not AWS Directory Services, AWS Managed Directory for Microsoft Active Directory, or Cognito IDP. ).
関連するコンテンツ
- AWS公式更新しました 1年前
- AWS公式更新しました 2年前
- AWS公式更新しました 2年前
- AWS公式更新しました 2年前
I have not found a working solution yet. Received some SCP from AWS Support but those neither work properly.. Until now the only solution I could enforce MFA to attach users policy directly to user, or users to a group which have attached MFAEnforcement.