- Newest
- Most votes
- Most comments
Hi, Please note that policies with MFA conditions can be attached to IAM user or group, a resource (via resource based policy, e.g., S3 Bucket policy) and they can also be attached to a trust policy of an IAM role.
In your case, the MFA restriction has been applied to a group, which is valid. Authenticated IAM users (with their long term credentials) within this group, must use MFA to be able to call APIs other than IAM. When using AWS CLI/SDK and long term credentials, the only way to pass in the MFA context keys is by calling the sts:GetSessionToken API with valid SerialNumber and TokenCode. The sts:GetSessionToken returns the temporary credentials you need to use an AWS that is protected by MFA. With console that works seamlessly and you do not need to call STS.
I hope it helps.
Thanks, Yossi
Hello,
Policies with an MFA condition can be attached to:
- An IAM user or group
- A resource such as an Amazon S3 bucket, Amazon SQS queue, or Amazon SNS topic
- The trust policy of an IAM role that can be assumed by a user
It is correct that the keys aws:MultiFactorAuthPresent and aws:MultiFactorAuthAge will only be present when the request is made using temporary credentials and not long-term credentials. The reason why policies with MFA conditions can still be attached to IAM users or groups is because when logging in to the Console with long-term credentials (username and password), the Console actually generates temporary credentials for the user in the background. If the user needs to access resources via CLI instead of the Console, then they will need to create a temporary session using sts get-session-token AWS CLI command.
That said, based on the statement shared, condition key aws:MultiFactorAuthAge is being used as a boolean instead of numeric. This key is used to compare the number of seconds since the principal was authorized using MFA with the number specified in the policy. If the intent is to confirm that MFA was used to validate the temporary security credentials that made the request, then aws:MultiFactorAuthPresent should be used instead.
There is a sample policy available that allows IAM users that are authenticated with MFA to manage their own MFA device on the Security credentials page, but denies access to all AWS actions except those necessary to authenticate using MFA if the user is not MFA-authenticated.
Thanks for this information. It’s the “Null” operator that returns the Boolean, correct? It doesn’t matter what the data type of the key is, the operator “Null” always returns a Boolean? That is my understanding anyway, so if you're right then I must be mistaken, does that sound right? Is there any documentation around that?
Relevant content
- asked a year ago
- asked 3 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 22 days ago
- AWS OFFICIALUpdated 2 years ago
So based on my poking around it doesn't seem like the users with access keys (long term creds) are doing any kind of federation or otherwise doing something that would trigger STS related calls. Would the policy not impact how the access keys operate? I've just not seen anything else that explains why the keys are functioning outside of that particular policy.
Are you asking about CLI/SDK access with long term credentials? Can you share the whole IAM policy that is attached to the IAM users/group?