How would I be able to disable command line or programmatic access?
Hello, I'm supporting a client that have moved over to AWS Control Tower. They have leveraged AWS SSO with OKTA and have initiated in building their environment.
They queried if it was possible to disable command line or programmatic access for users with various roles. Their ask was to ensure their users would only be able to access their AWS environment through the management console.
Is there any way to either restrict or limit CLI or programmatic access while keeping their required access to the management console?
The question has to be "why?"
Accessing via the Management Console or CLI is exactly the same - they are simply two different access mechanisms to perform the same action. They are identical in every way in terms of permissions (i.e. what a user can do). Disabling would have no effect other than to make some portion of a customer's workforce inefficient and frustrated.
Hi! Good question. I don't believe there's any way to do this directly as console actions map back to AWS API Calls.
What I would suggest is doing something as so:
- Block Access if MFA token is not present for AWS Users.
- Require MFA for the IAM Users.
This would make it a little more difficult to authenticate directly with the AWS CLI or programmatically as users would have to provide their MFA Token. It's not foolproof.
The other thing I would recommend is check with the client on their security requirements. What's the reason for the client desiring management console access but not CLI or programmatic access. Do they want read-only or non-creative/destructive actions for the IAM Users? What are the IAM users and their purpose/need to access AWS?
There are 2 ways to look at your question:
- The solution, and
- They 'why'
Let's look at the solution because it's some-what simple (simple in theory, may not be in practice).
- Ultimately you can prevent Programmatic access by not providing users with Programmatic credentials, but that doesn't apply here because the users are being federated onto AWS, which means that they could use the Okta AWS CLI tool, or AWS SSO, and just authN in and obtain temporary credentials from the role they assume.
- So, what other option is left to us? The MFA suggestion is a good one, because Console users have to provide an MFA code when logging in. However, because the users are federating in to AWS, it won't be the AWS MFA that they're using (it will be the MFA of the IdP) and so if you enforce the presence of an MFA against all users, then UI and CLI users alike won't have access because no one will have used the AWS MFA.
- Where does this leave us? Well you could write an SCP or IAM Policies which only allow access from certain "UserAgents", effectively blocking access from any platform that isn't one which you have approved. You could lock access down to particular browsers, and thus prevent access from a programmatic source AWS Tools for PowerShell or the AWS CLI. This comes with its own risks because what if a user wants to access the UI through a browser that you have not considered? Or if UserAgent details change and you haven't updated the values within your policies? These are risks which you will have to weigh and make a decision against.
Right, so we've looked at "how?", now let's look at "why?".
- The ultimate question here is "why is the customer looking to implement/achieve this?". Simply asking "why" likely won't achieve much, so we need to dig deeper.
- Questions to ask here are:
- "What security concern are you trying to address by enforcing such a restriction?".
- "If you're attempting to meet some form of regulatory compliance, which is it and are you sure that this is an explicit requirement?".
- "Have you looked at the risk which you're attempting to address, and weighed it against the possible risk that restricting access based on 'UserAgent' would cause?".
I hope that this helps you, not just in answering the question of whether it's possible or not, but that it also helps guide your future conversations with your customer on this matter.
AWS SSO - what OU/account to use?asked 4 days ago
Manage identities in AWS SSO - how to create Users via CLI or API ?asked 5 months ago
Does AWS Control Tower have integrations with the AWS VPC IPAM service?asked 4 months ago
AWS SSO user with AdministratorAccess cannot access root owned resourcesasked 3 months ago
AWS SSO in Control Tower / Organisations with Systems Manager Run Asasked 3 months ago
Issue building Control tower landing zone on a new account - AWS Control Tower setup failed. Be sure your account is subscribed to the AWS EC2 service, then try againAccepted Answerasked 4 months ago
How would I be able to disable command line or programmatic access?asked 3 months ago
Grant Access to Control Tower created Cloudtrail S3 Bucketasked 4 months ago
AWS Client VPN unable to set Authorization Route with Group ID using OktaAccepted Answerasked 4 months ago
AWS SSO and multiple regionsasked 2 months ago