- Newest
- Most votes
- Most comments
Hey Aolfa,
From reading through your comments I see that your users federate onto this AWS account, and from there they switch to another role.
The conditional operator which you have in the Trust Relationship of the role, the one that checks for the presence of an MFA token, is looking for the MFA token that could be associated with an IAM User. If you're federating, then the MFA token isn't passed in the SAML Response, so in this case the AWS IAM service will always fail on the MFA check, because it's not present.
If you have it so that MFA is a hard requirement for authenticating against your IdP, then why do you need such a check on this other role? I.e. If the only way into the AWS jump account requires MFA at the IdP, then you have mitigated the risk of further actions being taken by users without an MFA - because they can't AuthN in.
It is possible to pass a custom attribute from most IdPs which you can populated with a Boolean value on whether or not MFA was used at AuthN, and then you can have the conditional operator look for that, but I would take a step back and instead of asking 'How do I do this?', ask 'What risk am I mitigating by doing this?'.
Hi Ciaran,
Thank you for your reply. In my use case, i would like to be sure that devices used to auth in aws console are recognized by AWS. As authorized federated users are coming from different IDPs. Could be a legacy issue, or a not interesting use case ?
This is bit old but still valid document how role switching works when MFA is required.
https://aws.amazon.com/blogs/security/how-do-i-protect-cross-account-access-using-mfa-2/
You seem to have configured the role as it should be, but you didn't mention if the user who is about to assume the role has done MFA authentication for current session, ie. MFA is not attached to role, but the user who wants to assume the role.
Unfortunately this is how i configured trusted entity but still doesn't work { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "sts:AssumeRole", "Principal": { "AWS": "Parent_Account_ID" }, "Condition": { "Bool": { "aws:MultiFactorAuthPresent": true } } } ] } This Trust Policy block is even auto-generated. Could be working only on CLI and not through Console Switch Role ?
The MultiFactorAuthPresent conditional context key requires principals assuming this role to pass MFA.
Make sure you've completed all of the following steps:
-
Create a IAM principal user (or role) in Account B to access Account A. At this time, MFA must be enabled for the user in Account B. (For a role in Account B, the IAM principal assuming that role must have MFA enabled. A role cannot enable MFA on its own; the assumed IAM principal must enable MFA.)
-
Create an MFA-enabled role in Account A, which is the access target. Create a trust relationship so that Account B can assume this role.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [Account B IAM Principal ARN]
},
"Action": "sts:AssumeRole",
"Condition": {
"Bool": {
"aws:MultiFactorAuthPresent": "true"
}
}
}
]
}
- Create an inline trust policy so that user (or role) in Account B can assume the role in Account A.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "TrustPolicy",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": [Account A MFA Enabled Role ARN]
}
]
}
After completing all of the above tasks, log in with MFA to Account B User and try role switching.
Just for clarification here is the use case
1- Connected to console as a SSO federated user 2- Create an MFA-enabled role R in Account A 3- Still in the account A (or even in another account B, that has trust policy to A and A to B) => Switch Role R
No access... Did i miss something here?
Relevant content
- Accepted Answerasked a year ago
AWS OFFICIALUpdated 10 months ago- AWS OFFICIALUpdated a month ago
- AWS OFFICIALUpdated 5 months ago
"devices used to auth in aws console are recognized by AWS" - by configuring an IdP as an AuthN means of accessing an AWS account, you're making them 'recognised' by that AWS account. Seems like what you want to do is to ensure that all federating users HAVE to have passed an MFA token. This is where passing session tags comes into play - you will want to pass an attribute from the federating IdP in the SAML Response which denotes whether an MFA was used or not. You will then leverage this as a session tag on the federated user - and you can check for this tag when role chaining (jumping from role to role). While possible, I would still stop and ask - Why do so many IdP sources outside of your control need access to an AWS account? Perhaps a Cognito solution would met your needs better? Or perhaps users don't need console access at all?
yes better in my case, to block console access, that what i will do! thank you