How do I require users from other AWS accounts to use MFA to access my Amazon S3 buckets?

3 minute read
0

I want to require other users to use a multi-factor authentication (MFA) device to get access to my Amazon Simple Storage Service (Amazon S3) buckets.

Resolution

Add MFA-related conditions to your bucket policy that require users from other AWS accounts to authenticate using an MFA device.

Before you begin, the users from other AWS accounts must meet the following requirements:

  • They must have permissions to access Amazon S3. For example, users meet this requirement if they have the AmazonS3FullAccess AWS Managed Policy included in their AWS Identity and Access Management (IAM) policies.
  • They must have an attached IAM policy that allows them to call GetSessionToken.
  • They must have an MFA device configured for use with their IAM identity.

Next, create a bucket policy that uses the aws:MultiFactorAuthPresent or aws:MultiFactorAuthAge conditions. These conditions determine whether the user has authenticated with an MFA device.

For example, assume that you want to deny a user from performing certain actions unless they authenticate using an MFA device. You can write a bucket policy in two parts:

1.    The first part can explicitly deny those actions when the user doesn't authenticate using MFA (the condition "aws:MultiFactorAuthPresent": "false" is met), similar to the following:

{
    "Version": "2012-10-17",
    "Id": "Policy201612130001aa",
    "Statement": [
        {
            "Sid": "Stmt201612130001ab",
            "Effect": "Deny",
            "Principal": {
                "AWS": "arn:aws:iam::111122223333:root"
            },
            "Action": [
                "s3:PutObject",
                "s3:PutObjectAcl",
                "s3:DeleteObject"
            ],
            "Resource": "arn:aws:s3:::example.accounta.bucket/*",
            "Condition": {
                "BoolIfExists": {
                    "aws:MultiFactorAuthPresent": "false"
                }
            }
        },
...

In this example, we're denying the user from performing the s3:PutObject, s3:PutObjectAcl, and s3:DeleteObject actions.

2.    The second part of the policy can explicitly allow those actions when the user authenticates using MFA (the condition "aws:MultiFactorAuthPresent": "false" is not met):

...
        {
            "Sid": "Stmt201612130001ac",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::111122223333:root"
            },
            "Action": [
                "s3:ListBucket",
                "s3:GetObject",
                "s3:PutObject",
                "s3:PutObjectAcl",
                "s3:DeleteObject"
            ],
            "Resource": [
                "arn:aws:s3:::example.accounta.bucket",
                "arn:aws:s3:::example.accounta.bucket/*"
            ]
        }
    ]
}

After you add a similar bucket policy to your bucket, users can run the get-session-token AWS Command Line Interface (AWS CLI) command. The get-session-token command gets the credentials required to access the resources in your bucket. This command requires the user to provide the following:

  • The temporary code generated by the MFA device
  • The serial number of the device for a hardware MFA device, or the Amazon Resource Name (ARN) for a software MFA device

Note: If you receive errors when running AWS CLI commands, make sure that you’re using the most recent version of the AWS CLI.

As another option for getting credentials, users can choose to export the temporary credentials as environment variables.


Related information

Bucket policy examples

AWS OFFICIAL
AWS OFFICIALUpdated 2 years ago