- Newest
- Most votes
- Most comments
There is an example in https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_configure-api-require.html#MFAProtectedAPI-user-mfa although the example uses EC2 actions:
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [
"ec2:StopInstances",
"ec2:TerminateInstances"
],
"Resource": ["*"],
"Condition": {"Bool": {"aws:MultiFactorAuthPresent": "true"}}
}]
}
It uses the global condition key aws:MultiFactorAuthPresent to determine whether MFA is used. However, please notice that the condition key is not available for all the use cases. For the availability of the condition key, please check https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-multifactorauthpresent.
Hi DomPeer,
You are right that the KMS key owner (In your case, I assumes it's you) can change the key policy without approval from others.
So in your case, one possible solution would be having your customer owning the key, and let them create a key policy to allow your enclave (through IAM condition) to use the key
However, in reality, it's always not feasible to have all the customers owning their AWS accounts and manage the key. So you'll probably need to think a solution where the key is stored in the client side (e.g. having customer create a master password and use algorithm e.g. PBKDF2 to generate the key, or saving it in the client apps, etc.)
The key takeaway is that in most enclave applications, only the enclave environment is trusted by all parties. Other parts around it (e.g. encryption key, storage, etc.) are not and need to be owned by its owner
Relevant content
- asked a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
The question is not about enforcing MFA, it's about who control the key This answer is irrelevant.