Skip to content

Instantly share code, notes, and snippets.

@incyclum
Last active April 2, 2020 20:02
Show Gist options
  • Save incyclum/7847f77e7875a9c31a29adef8a3f91d8 to your computer and use it in GitHub Desktop.
Save incyclum/7847f77e7875a9c31a29adef8a3f91d8 to your computer and use it in GitHub Desktop.
AWS IAM Policy - Force MFA - This policy allows users to manage their own passwords and MFA devices but nothing else unless they authenticate with MFA -- *EDIT*: I forgot where I found it in the 1st place. In fact this policy is explained statement by statement in AWS docs: https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_users-self-man…
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAllUsersToListAccounts",
"Effect": "Allow",
"Action": [
"iam:ListAccountAliases",
"iam:ListUsers",
"iam:GetAccountPasswordPolicy",
"iam:GetAccountSummary"
],
"Resource": "*"
},
{
"Sid": "AllowIndividualUserToSeeAndManageOnlyTheirOwnAccountInformation",
"Effect": "Allow",
"Action": [
"iam:CreateAccessKey",
"iam:DeleteAccessKey",
"iam:DeleteLoginProfile",
"iam:GetLoginProfile",
"iam:ListAccessKeys",
"iam:UpdateAccessKey",
"iam:UpdateLoginProfile",
"iam:ListSigningCertificates",
"iam:DeleteSigningCertificate",
"iam:UpdateSigningCertificate",
"iam:UploadSigningCertificate",
"iam:ListSSHPublicKeys",
"iam:GetSSHPublicKey",
"iam:DeleteSSHPublicKey",
"iam:UpdateSSHPublicKey",
"iam:UploadSSHPublicKey"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "AllowIndividualUserToListOnlyTheirOwnMFA",
"Effect": "Allow",
"Action": [
"iam:ListVirtualMFADevices",
"iam:ListMFADevices"
],
"Resource": [
"arn:aws:iam::*:mfa/*",
"arn:aws:iam::*:user/${aws:username}"
]
},
{
"Sid": "AllowIndividualUserToManageTheirOwnMFA",
"Effect": "Allow",
"Action": [
"iam:CreateVirtualMFADevice",
"iam:DeleteVirtualMFADevice",
"iam:EnableMFADevice",
"iam:ResyncMFADevice"
],
"Resource": [
"arn:aws:iam::*:mfa/${aws:username}",
"arn:aws:iam::*:user/${aws:username}"
]
},
{
"Sid": "AllowIndividualUserToDeactivateOnlyTheirOwnMFAOnlyWhenUsingMFA",
"Effect": "Allow",
"Action": [
"iam:DeactivateMFADevice"
],
"Resource": [
"arn:aws:iam::*:mfa/${aws:username}",
"arn:aws:iam::*:user/${aws:username}"
],
"Condition": {
"Bool": {
"aws:MultiFactorAuthPresent": "true"
}
}
},
{
"Sid": "BlockMostAccessUnlessSignedInWithMFA",
"Effect": "Deny",
"NotAction": [
"iam:ChangePassword",
"iam:CreateLoginProfile",
"iam:CreateVirtualMFADevice",
"iam:DeleteVirtualMFADevice",
"iam:ListVirtualMFADevices",
"iam:EnableMFADevice",
"iam:ResyncMFADevice",
"iam:ListAccountAliases",
"iam:ListUsers",
"iam:ListSSHPublicKeys",
"iam:ListAccessKeys",
"iam:ListServiceSpecificCredentials",
"iam:ListMFADevices",
"iam:GetAccountSummary",
"sts:GetSessionToken"
],
"Resource": "*",
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "false"
}
}
}
]
}
@davidjeddy
Copy link

This will be very handy; thank you.

@incyclum
Copy link
Author

incyclum commented May 1, 2018

Some people pointed out the original source of that policy (https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_users-self-manage-mfa-and-creds.html) and they're right I remember that I found it here times ago. Credit where credit is due 😅.

Copy link

ghost commented May 3, 2018

Very nice. There are some problems here - 1) you require MFA to delete MFA. The use case for deleting MFA is... losing your phone, for example. If you want to enable self-service, you can move the user to a crippled group, incorporating some of the policy you have above. I do this with a Lambda function that checks for the association of an MFA with the user. Move users in and out of the crippled group appropriately. 2) you make assumptions about paths (maybe you don't use them, but I do), so something like this is recommended


"Resource": [
                "arn:aws:iam::*:mfa/${aws:username}",
                "arn:aws:iam::*:user/${aws:username}",
                "arn:aws:iam::*:user/*/${aws:username}"                                                                 
            ],

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment