跳至內容
使用 AWS re:Post 即表示您同意 AWS re:Post 使用條款
AWS re:Postre:Post
關於 re:Post

Enable MFA for IAM users

0

Hi AWS, I am planning to write an SCP for the following:

  1. MFA should be enabled for all IAM users.
  2. Hardware MFA should be enabled for the root user.
  3. MFA should be enabled for the root user

My doubt is that is it even possible to achieve the requirements I mentioned above via AWS SCP. Please identify.

主題
管理與治理安全性、身分識別與合規AWS 架構完善的框架
標籤
服務控制政策多重身分驗證AWS 身份驗證和存取管理安全
語言
English
已提問 2 年前檢視次數 592 次
3 個答案
1

Hi, your requirements is a bit unclear. When using the SCP, it is more access management at the OU or account level. So it will be who is allowed to do what, on what Resource. You can use Config to audit and detect if your requirements are currently met or deviated. However, for MFA on root user, Trusted Advisor provides these checks as part of security best practices so you can generate that report at free cost.

AWS
專家
已回答 2 年前
1

To best of my knowledge AWS SCP can't enforce MFA, however you can workaround this:

  1. Create an IAM policy that requires MFA to be enabled for users/roles to perform actions in AWS
  2. Attach this IAM policy to the users/roles in your organization.
  3. Create an SCP to ensure that the IAM policy is enforced across all accounts in your organization.

Comment here if you have additional questions, happy to help.

Abhishek

AWS
專家
已回答 2 年前
專家
已審閱 2 年前
0

possible to achieve the requirements you mentioned using AWS Service Control Policies (SCPs). Here's how:

  1. MFA for all IAM users: Create an SCP with the following policy:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "RequireMFAForIAMUsers",
      "Effect": "Deny",
      "Action": "iam:*",
      "Resource": "arn:aws:iam::*:user/${aws:username}",
      "Condition": {
        "Bool": {
          "aws:MultiFactorAuthPresent": "false"
        }
      }
    }
  ]
}

This SCP denies all IAM actions if the user doesn't have MFA enabled.

  1. Hardware MFA for the root user: Create an SCP with the following policy:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "RequireHardwareMFAForRoot",
      "Effect": "Deny",
      "Action": "iam:*",
      "Resource": "arn:aws:iam::*:root",
      "Condition": {
        "StringNotEquals": {
          "aws:MultiFactorAuthType": "hardware"
        }
      }
    }
  ]
}

This SCP denies all IAM actions for the root user if they don't have hardware MFA enabled.

  1. MFA for the root user: This requirement is already covered by the first SCP, which requires MFA for all IAM users, including the root user.

To resolve any issues, ensure:

  • The SCPs are attached to the correct AWS Organizations or accounts.
  • The policies are correctly formatted and free of errors.
  • The SCPs are evaluated in the correct order (if multiple SCPs are attached).
專家
已回答 2 年前

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

相關內容