By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

MFA Delegation to IAM Users

0

Hi Team,

I am trying to delegate MFA setup to users by following this guide so users are not able to access any resources until they have MFA enabled. https://aws.amazon.com/blogs/security/how-to-delegate-management-of-multi-factor-authentication-to-aws-iam-users/

Once a user has configured MFA, they can access AWS resources through AWS console based on additional permissions assigned to them. However, if a user has an access key configured they are not able to access any resources through CLI.

Anyone aware of what IAM policy changes to be performed in order to allow access key users to be able to access resources once MFA is added by the user?

Topics
Security, Identity, & ComplianceManagement & Governance
Tags
Security, Identity, & ComplianceAWS Management ConsoleAWS Command Line InterfaceIAM PoliciesMulti-factor Authentication
Language
English
rePost-User-5750032
asked a year ago337 views
5 Answers
0

@_takahash thank you for sharing the related case, it was useful.

@Gary I was working with the policy you have provided but so far my observations have been

I agree with this point "You cant create an access key unless you have MFA setup". However, the user with an MFA setup cannot run any CLI commands unless they use aws sts get-session-token command. I was trying to avoid creating two separate users one for CLI and other for Console access, so only Console is MFA enforced while CLI is accessible directly with access keys but i might not have a choice.

rePost-User-5750032
answered a year ago
  • Gary Mclean EXPERT
    a year ago

    Try updating the condition

    I have updated my answer (policy).. Try the new one

0

Hi. May be no policy changes will be needed but you have to execute 'aws sts get-session-token' command with '--serial-number' option before accessing your resources. Check the link as follows.

How do I use an MFA token to authenticate access to my AWS resources through the AWS CLI?

profile picture
EXPERT
Hiroki Takahashi
answered a year ago
0

I have seen this article already and apologies if my question was not clear.

Without MFA being enforced for user, if an access key exists user can directly use access keys from CLI without requiring any additional steps.

I am looking to get MFA enforced only for AWS Console access without blocking access to CLI or requiring any additional steps being performed by end user from CLI.

is there any available option?

rePost-User-5750032
answered a year ago
0

I am looking to get MFA enforced only for AWS Console access without blocking access to CLI or requiring any additional steps being performed by end user from CLI.

Sorry for my misunderstanding.

I'm afraid but there is no way to enforce MFA only for AWS Console access with MFA enforce IAM policy.

References: Can I enforce MFA for console sign in but not for access key (CLI) sign in? - aws re:Post

profile picture
EXPERT
Hiroki Takahashi
answered a year ago
0

All the information to do this can be found here https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_users-self-manage-mfa-and-creds.html

I myself enforce MFA for CLi also because if someone lost there keys then as they mostly they are stored in clear text on the local machine, then anyone can use them without any additoinal enforcement.

Here is the policy from the link provided. You cant create an access key unless you have MFA setup. It doesnt enforce MFA for CLI access. So if a user already has an access key without MFA it will not effect them. You would have to enforce MFA on cli too for that.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowViewAccountInfo",
            "Effect": "Allow",
            "Action": [
                "iam:GetAccountPasswordPolicy",
                "iam:ListVirtualMFADevices"
            ],
            "Resource": "*"
        },
        {
            "Sid": "AllowManageOwnPasswords",
            "Effect": "Allow",
            "Action": [
                "iam:ChangePassword",
                "iam:GetUser"
            ],
            "Resource": "arn:aws:iam::*:user/${aws:username}"
        },
        {
            "Sid": "AllowManageOwnAccessKeys",
            "Effect": "Allow",
            "Action": [
                "iam:CreateAccessKey",
                "iam:DeleteAccessKey",
                "iam:ListAccessKeys",
                "iam:UpdateAccessKey"
            ],
            "Resource": "arn:aws:iam::*:user/${aws:username}"
        },
        {
            "Sid": "AllowManageOwnSigningCertificates",
            "Effect": "Allow",
            "Action": [
                "iam:DeleteSigningCertificate",
                "iam:ListSigningCertificates",
                "iam:UpdateSigningCertificate",
                "iam:UploadSigningCertificate"
            ],
            "Resource": "arn:aws:iam::*:user/${aws:username}"
        },
        {
            "Sid": "AllowManageOwnSSHPublicKeys",
            "Effect": "Allow",
            "Action": [
                "iam:DeleteSSHPublicKey",
                "iam:GetSSHPublicKey",
                "iam:ListSSHPublicKeys",
                "iam:UpdateSSHPublicKey",
                "iam:UploadSSHPublicKey"
            ],
            "Resource": "arn:aws:iam::*:user/${aws:username}"
        },
        {
            "Sid": "AllowManageOwnGitCredentials",
            "Effect": "Allow",
            "Action": [
                "iam:CreateServiceSpecificCredential",
                "iam:DeleteServiceSpecificCredential",
                "iam:ListServiceSpecificCredentials",
                "iam:ResetServiceSpecificCredential",
                "iam:UpdateServiceSpecificCredential"
            ],
            "Resource": "arn:aws:iam::*:user/${aws:username}"
        },
        {
            "Sid": "AllowManageOwnVirtualMFADevice",
            "Effect": "Allow",
            "Action": [
                "iam:CreateVirtualMFADevice"
            ],
            "Resource": "arn:aws:iam::*:mfa/*"
        },
        {
            "Sid": "AllowManageOwnUserMFA",
            "Effect": "Allow",
            "Action": [
                "iam:DeactivateMFADevice",
                "iam:EnableMFADevice",
                "iam:ListMFADevices",
                "iam:ResyncMFADevice"
            ],
            "Resource": "arn:aws:iam::*:user/${aws:username}"
        },
        {
            "Sid": "DenyAllExceptListedIfNoMFA",
            "Effect": "Deny",
            "NotAction": [
                "iam:CreateVirtualMFADevice",
                "iam:EnableMFADevice",
                "iam:GetUser",
                "iam:ListMFADevices",
                "iam:ListVirtualMFADevices",
                "iam:ResyncMFADevice",
                "sts:GetSessionToken"
            ],
            "Resource": "*",
            "Condition": {
                "BoolIfExists": {
                    "aws:MultiFactorAuthPresent": "false",
                    "aws:ViaAWSService": "true"
                }
            }
        }
    ]
}
profile picture
EXPERT
Gary Mclean
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content