By using AWS re:Post, you agree to the Terms of Use

Is it possible to assign MFA for AWS IAM role?

0

Is it possible to assign MFA for AWS IAM role? We have cross-account access and in order to perform role assume we would like to use MFA

Update for clarity: We have role in Account A and before assuming role in Account B we would like to use MFA. There is no user between those accounts

5 Answers
0
profile picture
EXPERT
answered 7 months ago
  • Thanks, just to be clear, I need a role which will be using MFA before assuming another role. This article is about using MFA with users who can assume roles

0

Yes, however it is done through whichever method you use to authenticate the initial user (assuming here that the role is being assumed by a human). So for example, if you're using AWS User accounts, you would enable and register the MFA token with the user. When then authenticate into the AWS Console (or via CLI) they will supply their token. This is a similar process if you're using a third party identity provider (e.g. Ping, Auth0, etc).

The other part of this is to add a condition key to the assumed role which enforces that MFA is present which is documented here. With the condition in place, IAM will validate that a token was provided and is valid for that user (or assumed role in the case of a federated role access model).

answered 7 months ago
  • Thank you, but I need to use MFA with role before assuming another role. Nothing to do with users

0

Hey there,

Your focus here is on enforcing the presence of an MFA device at the time of assuming Role A, and then you can later double-check for the presence of an MFA in the policy associated with Role B, but let's not focus on Role B for now.

So, enforcing MFA at the time of assuming Role A will all come down to 'how' you assume Role A. In order to traditionally assume a role, you must have an Access and a Secret Key (and a Session Token if you're already using temporary credentials). Let's ignore the avenue of using temporary credentials to assume a role, otherwise we will find ourselves in some sort of MFA Inception. This leaves us with two avenues of approach:

  1. You're an IAM User assuming the role, in which case you can simply associate an MFA device with the IAM User. However, you're here asking the question so I think it's safe to presume you're not using an IAM User.

  2. You're federating your users from an IdP of some description, so they are landing in AWS with an assumed role via federation. In this case, as mentioned by another user here, you're going to have to enforce MFA at the IdP level and this will not translate over to AWS and thus you won't be able to use the MFA Condition key.

We can get around this MFA business, though. You can do this in one of two ways:

  1. You can check if your IdP has a flag of its own that indicates presence of an MFA device, and pass that in your SAML Response and use it in your IAM Policies (I.e. This attribute & value must be present in order to proceed with 'X' action).

  2. You can make an assumption that any user who is federating to AWS will already have had to use an MFA to log into their account. If you can make this blanket assumption, then you can hard-code (I know, not nice words but if the risk is acceptable or mitigated then plough on) an attribute and value against the user(s) and pass that in your SAML Response, so it will always be present when a user federates to AWS.

The risk with the second option is 'What if a user logs in against the IdP without MFA and then has access to AWS without an MFA device?". This is a legitimate risk, but one you should be fit to mitigate. Any IdP I have come across will enable you to set rules against all users in a directory, rules such as enforcing the presence of an MFA device at login. Having such a rule would mitigate the risk here, but that is something you would need to look into and accept.

profile picture
answered 7 months ago
  • Thank you for comprehensive answer! The reason why I'd like to have MFA integrated with role in Account A is because of using cross-account CICD pipelines. There is a jenkins aws plugin https://github.com/jenkinsci/pipeline-aws-plugin which allows to either assume roles or use user identity (secret, key) with MFA but not both. So, an option by using MFA in Jenkins pipeline would significantly improve security layers. And the option to hardcode AWS secrets in jenkins doesn't seem to be secure solution

0

Hi! Good question.

Reading through the other answers - keep in mind there are some limitations with the combination of MFA and IAM Roles.

If you are using cross-account access and have Users in Account A assume roles in account B, then yes you can require the role to only allow the user to assume it if it has MFA present. That is what this blog describes: https://aws.amazon.com/blogs/security/how-do-i-protect-cross-account-access-using-mfa-2/.

As per https://aws.amazon.com/iam/faqs/?nc=hl&pg=f-mfa, MFA is for AWS Management Console users or AWS API users.

However, if you are federating in to a role in Account A, then assuming a role in Account B, that will be different. You can use MFA with Cognito User Pools: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-mfa.html.

From the MFA page: AWS Management Console users: When a user with MFA enabled signs in to an AWS website, they are prompted for their user name and password (the first factor–what they know), and an authentication response from their AWS MFA device (the second factor–what they have). All AWS websites that require sign-in, such as the AWS Management Console, fully support AWS MFA. You can also use AWS MFA together with Amazon S3 secure delete for additional protection of your S3 stored versions.

AWS API users: You can enforce MFA authentication by adding MFA restrictions to your IAM policies. To access APIs and resources protected in this way, developers can request temporary security credentials and pass optional MFA parameters in their AWS Security Token Service (STS) API requests (the service that issues temporary security credentials). MFA-validated temporary security credentials can be used to call MFA-protected APIs and resources. Note: AWS STS and MFA-protected APIs do not currently support U2F security key as MFA.

answered 7 months ago
-1
  1. Yes, is possible.
  2. Add this policy: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_aws_my-sec-creds-self-manage.html
  3. Not working yet!!!
  4. Other user, pmbaldwin, found the solution: https://forums.aws.amazon.com/message.jspa?messageID=940097#940097

This example policy does not allow users to both sign in and perform a password change. New users and users with an expired password might try to do so. To intentionally allow this, add iam:ChangePassword and iam:CreateLoginProfile to the statement BlockMostAccessUnlessSignedInWithMFA.

  1. So, edit the policy for "Sid": "DenyAllExceptListedIfNoMFA":
 {
        "Sid": "DenyAllExceptListedIfNoMFA",
        "Effect": "Deny",
        "NotAction": [
            "iam:CreateVirtualMFADevice",
            "iam:EnableMFADevice",
            "iam:GetUser",
            "iam:ListMFADevices",
            "iam:ListVirtualMFADevices",
            "iam:ResyncMFADevice",
            "iam:CreateLoginProfile",
            "iam:ChangePassword",
            "sts:GetSessionToken"
        ],
        "Resource": "*",
        "Condition": {
            "BoolIfExists": {
                "aws:MultiFactorAuthPresent": "false"
            }
        }
}

Thanks pmbaldwin!!! :)

answered 6 months ago
  • Sorry, it's not related to my question. I need a role with MFA, not a user as initiator of the flow. An option to use user and then assume some role isn't relevant as I'm implementing CICD pipeline and I want EC2 instance to have IAM role with MFA assigned

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions