Weird IAM Policy - seems to be doing the reverse of what I'd expect

0

I'm trying to audit some AWS accounts to see if MFA is enforced for access keys. Every other time I've seen this done in other reviews for other companies, the MFA condition was enforced in a trust policy when the user assumed the role and permissions were assigned to the role. But that's not what I see here.

There is a policy ("ForcedMFAPolicy") with a condition to check for the existence of the MultiFactorAuthAge key and an effect to deny access to any action other than IAM. The policy is below:

Condition: {                         Null: {                        aws:MultiFactorAuthAge: "true"             }            },                 Resource: "",                 Effect: "Deny",                NotAction: "iam:",                  Sid: "ExplicitDenyOnPermissionsWithoutMFA"      

This policy is assigned to a group. The aws:MultiFactorAuthAge key exists only when temporary credentials are fetched from sts. But the users in question are straight IAM users (not federated and not instance profiles) and they aren't assuming any roles (because trust policies only allow AssumeRole permission to services, not AWS users or groups). Access keys are long-term credentials and won't have short-term sts credentials because they aren't assuming a role. If they can't get a temporary credentials, then MultiFactorAuthAge will always be null (which makes the condition always true?) which means that access to everything other than IAM is always denied.

But if that were the case, no one would be able to do anything with access keys. Or with password-based login either, and that doesn't make sense because this is a system that is actually a production system that is functioning.

Can someone help me figure this out?

2 Answers
0

Hi, Please note that policies with MFA conditions can be attached to IAM user or group, a resource (via resource based policy, e.g., S3 Bucket policy) and they can also be attached to a trust policy of an IAM role.

In your case, the MFA restriction has been applied to a group, which is valid. Authenticated IAM users (with their long term credentials) within this group, must use MFA to be able to call APIs other than IAM. When using AWS CLI/SDK and long term credentials, the only way to pass in the MFA context keys is by calling the sts:GetSessionToken API with valid SerialNumber and TokenCode. The sts:GetSessionToken returns the temporary credentials you need to use an AWS that is protected by MFA. With console that works seamlessly and you do not need to call STS.

I hope it helps.

Thanks, Yossi

AWS
answered 2 months ago
profile pictureAWS
EXPERT
reviewed 2 months ago
  • So based on my poking around it doesn't seem like the users with access keys (long term creds) are doing any kind of federation or otherwise doing something that would trigger STS related calls. Would the policy not impact how the access keys operate? I've just not seen anything else that explains why the keys are functioning outside of that particular policy.

  • Are you asking about CLI/SDK access with long term credentials? Can you share the whole IAM policy that is attached to the IAM users/group?

0

Hello,

Policies with an MFA condition can be attached to:

  • An IAM user or group
  • A resource such as an Amazon S3 bucket, Amazon SQS queue, or Amazon SNS topic
  • The trust policy of an IAM role that can be assumed by a user

It is correct that the keys aws:MultiFactorAuthPresent and aws:MultiFactorAuthAge will only be present when the request is made using temporary credentials and not long-term credentials. The reason why policies with MFA conditions can still be attached to IAM users or groups is because when logging in to the Console with long-term credentials (username and password), the Console actually generates temporary credentials for the user in the background. If the user needs to access resources via CLI instead of the Console, then they will need to create a temporary session using sts get-session-token AWS CLI command.

That said, based on the statement shared, condition key aws:MultiFactorAuthAge is being used as a boolean instead of numeric. This key is used to compare the number of seconds since the principal was authorized using MFA with the number specified in the policy. If the intent is to confirm that MFA was used to validate the temporary security credentials that made the request, then aws:MultiFactorAuthPresent should be used instead.

There is a sample policy available that allows IAM users that are authenticated with MFA to manage their own MFA device on the Security credentials page, but denies access to all AWS actions except those necessary to authenticate using MFA if the user is not MFA-authenticated.

AWS
SUPPORT ENGINEER
answered 2 months ago
  • Thanks for this information. It’s the “Null” operator that returns the Boolean, correct? It doesn’t matter what the data type of the key is, the operator “Null” always returns a Boolean? That is my understanding anyway, so if you're right then I must be mistaken, does that sound right? Is there any documentation around that?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions