- 最新
- 投票最多
- 评论最多
Hello.
It is possible to configure SCP to disallow IAM users who do not have MFA set.
If the following SCP is set, IAM users will not be able to operate any resources other than those related to IAM without using MFA.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowViewAccountInfo",
"Effect": "Allow",
"Action": [
"iam:GetAccountPasswordPolicy",
"iam:GetAccountSummary",
"iam:ListVirtualMFADevices"
],
"Resource": "*"
},
{
"Sid": "AllowManageOwnPasswords",
"Effect": "Allow",
"Action": [
"iam:ChangePassword",
"iam:GetUser",
"iam:CreateLoginProfile",
"iam:DeleteLoginProfile",
"iam:GetLoginProfile",
"iam:UpdateLoginProfile"
],
"Resource": "*"
},
{
"Sid": "AllowManageOwnAccessKeys",
"Effect": "Allow",
"Action": [
"iam:CreateAccessKey",
"iam:DeleteAccessKey",
"iam:ListAccessKeys",
"iam:UpdateAccessKey"
],
"Resource": "*"
},
{
"Sid": "AllowManageOwnSigningCertificates",
"Effect": "Allow",
"Action": [
"iam:DeleteSigningCertificate",
"iam:ListSigningCertificates",
"iam:UpdateSigningCertificate",
"iam:UploadSigningCertificate"
],
"Resource": "*"
},
{
"Sid": "AllowManageOwnSSHPublicKeys",
"Effect": "Allow",
"Action": [
"iam:DeleteSSHPublicKey",
"iam:GetSSHPublicKey",
"iam:ListSSHPublicKeys",
"iam:UpdateSSHPublicKey",
"iam:UploadSSHPublicKey"
],
"Resource": "*"
},
{
"Sid": "AllowManageOwnGitCredentials",
"Effect": "Allow",
"Action": [
"iam:CreateServiceSpecificCredential",
"iam:DeleteServiceSpecificCredential",
"iam:ListServiceSpecificCredentials",
"iam:ResetServiceSpecificCredential",
"iam:UpdateServiceSpecificCredential"
],
"Resource": "*"
},
{
"Sid": "AllowManageOwnVirtualMFADevice",
"Effect": "Allow",
"Action": [
"iam:CreateVirtualMFADevice",
"iam:DeleteVirtualMFADevice"
],
"Resource": "*"
},
{
"Sid": "AllowManageOwnUserMFA",
"Effect": "Allow",
"Action": [
"iam:DeactivateMFADevice",
"iam:EnableMFADevice",
"iam:ListMFADevices",
"iam:ResyncMFADevice"
],
"Resource": "*"
},
{
"Sid": "DenyAllExceptListedIfNoMFA",
"Effect": "Deny",
"NotAction": [
"iam:CreateVirtualMFADevice",
"iam:EnableMFADevice",
"iam:ChangePassword",
"iam:GetUser",
"iam:CreateLoginProfile",
"iam:DeleteLoginProfile",
"iam:GetLoginProfile",
"iam:UpdateLoginProfile",
"iam:ListMFADevices",
"iam:ListVirtualMFADevices",
"iam:ResyncMFADevice",
"iam:DeleteVirtualMFADevice",
"sts:GetSessionToken"
],
"Resource": "*",
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "false"
},
"StringLike": {
"aws:PrincipalArn": [
"arn:aws:iam::*:user/*"
]
}
}
}
]
}
For SSO users, the following procedure can be used to enforce this.
https://docs.aws.amazon.com/singlesignon/latest/userguide/how-to-configure-mfa-device-enforcement.html
This SCP does not works at all! I have just deployed it, tested with a localuser created withoutMFA attached AdminPolicy. I also tried at least 3 different versions to EnforceMFA for our organization: including the following: { "Version": "2012-10-17", "Statement": [ { "Sid": "AllowManageOwnUserMFA", "Effect": "Deny", "Action": [ "iam:ListMFADevices", "iam:DeactivateMFADevice", "iam:DeleteVirtualMFADevice" ], "Resource": "", "Condition": { "StringLike": { "aws:PrincipalArn": "arn:aws:iam:::user/" } } }, { "Sid": "DenyAllExceptListedIfNoMFA", "Effect": "Deny", "NotAction": [ "iam:CreateVirtualMFADevice", "iam:EnableMFADevice", "iam:GetUser", "iam:ListMFADevices", "iam:ListVirtualMFADevices", "iam:ResyncMFADevice", "sts:GetSessionToken" ], "Resource": "", "Condition": { "StringLike": { "aws:PrincipalArn": "arn:aws:iam:::user/" }, "BoolIfExists": { "aws:MultiFactorAuthPresent": "false" } } } ] }
If you use SSO in IAM Identity Center, under authentication you can configure MFA requirements.
Only in internal SSO IDP for AWS. External IDP's simple not supported with MFA. ( example: Azure, or anything which is not AWS Directory Services, AWS Managed Directory for Microsoft Active Directory, or Cognito IDP. ).
相关内容
AWS 官方已更新 2 年前- AWS 官方已更新 1 年前
- AWS 官方已更新 2 年前
- AWS 官方已更新 2 年前
I have not found a working solution yet. Received some SCP from AWS Support but those neither work properly.. Until now the only solution I could enforce MFA to attach users policy directly to user, or users to a group which have attached MFAEnforcement.