By using AWS re:Post, you agree to the Terms of Use
/How would I be able to disable command line or programmatic access?/

How would I be able to disable command line or programmatic access?


Hello, I'm supporting a client that have moved over to AWS Control Tower. They have leveraged AWS SSO with OKTA and have initiated in building their environment.

They queried if it was possible to disable command line or programmatic access for users with various roles. Their ask was to ensure their users would only be able to access their AWS environment through the management console.

Is there any way to either restrict or limit CLI or programmatic access while keeping their required access to the management console?


3 Answers

The question has to be "why?"

Accessing via the Management Console or CLI is exactly the same - they are simply two different access mechanisms to perform the same action. They are identical in every way in terms of permissions (i.e. what a user can do). Disabling would have no effect other than to make some portion of a customer's workforce inefficient and frustrated.

answered 3 months ago

Hi! Good question. I don't believe there's any way to do this directly as console actions map back to AWS API Calls.

What I would suggest is doing something as so:

  • Block Access if MFA token is not present for AWS Users.
  • Require MFA for the IAM Users.

This would make it a little more difficult to authenticate directly with the AWS CLI or programmatically as users would have to provide their MFA Token. It's not foolproof.

The other thing I would recommend is check with the client on their security requirements. What's the reason for the client desiring management console access but not CLI or programmatic access. Do they want read-only or non-creative/destructive actions for the IAM Users? What are the IAM users and their purpose/need to access AWS?

answered 3 months ago

Hey there,

There are 2 ways to look at your question:

  1. The solution, and
  2. They 'why'

Let's look at the solution because it's some-what simple (simple in theory, may not be in practice).

  • Ultimately you can prevent Programmatic access by not providing users with Programmatic credentials, but that doesn't apply here because the users are being federated onto AWS, which means that they could use the Okta AWS CLI tool, or AWS SSO, and just authN in and obtain temporary credentials from the role they assume.
  • So, what other option is left to us? The MFA suggestion is a good one, because Console users have to provide an MFA code when logging in. However, because the users are federating in to AWS, it won't be the AWS MFA that they're using (it will be the MFA of the IdP) and so if you enforce the presence of an MFA against all users, then UI and CLI users alike won't have access because no one will have used the AWS MFA.
  • Where does this leave us? Well you could write an SCP or IAM Policies which only allow access from certain "UserAgents", effectively blocking access from any platform that isn't one which you have approved. You could lock access down to particular browsers, and thus prevent access from a programmatic source AWS Tools for PowerShell or the AWS CLI. This comes with its own risks because what if a user wants to access the UI through a browser that you have not considered? Or if UserAgent details change and you haven't updated the values within your policies? These are risks which you will have to weigh and make a decision against.

Right, so we've looked at "how?", now let's look at "why?".

  • The ultimate question here is "why is the customer looking to implement/achieve this?". Simply asking "why" likely won't achieve much, so we need to dig deeper.
  • Questions to ask here are:
    • "What security concern are you trying to address by enforcing such a restriction?".
    • "If you're attempting to meet some form of regulatory compliance, which is it and are you sure that this is an explicit requirement?".
    • "Have you looked at the risk which you're attempting to address, and weighed it against the possible risk that restricting access based on 'UserAgent' would cause?".

I hope that this helps you, not just in answering the question of whether it's possible or not, but that it also helps guide your future conversations with your customer on this matter.

answered 3 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions