timoguin/iam.tf

## iam.tf
# IAM policy for all users that requires MFA
data "aws_iam_policy_document" "require_mfa_policy" {
  statement {
    sid    = "AllowAllUsersToListAccounts"
    effect = "Allow"

    actions = [
      "iam:ListAccountAliases",
      "iam:ListUsers",
    ]

    resources = [
      "arn:aws:iam::${var.account_id}:user/*",
    ]
  }

  statement {
    sid    = "AllowIndividualUserToSeeTheirAccountInformation"
    effect = "Allow"

    actions = [
      "iam:ChangePassword",
      "iam:CreateLoginProfile",
      "iam:DeleteLoginProfile",
      "iam:GetAccountPasswordPolicy",
      "iam:GetAccountSummary",
      "iam:GetLoginProfile",
      "iam:UpdateLoginProfile",
    ]

    resources = [
      "arn:aws:iam::${var.account_id}:user/&{aws:username}",
    ]
  }

  statement {
    sid    = "AllowIndividualUserToListTheirMFA"
    effect = "Allow"

    actions = [
      "iam:ListVirtualMFADevices",
      "iam:ListMFADevices",
    ]

    resources = [
      "arn:aws:iam::${var.account_id}:mfa/*",
      "arn:aws:iam::${var.account_id}:user/&{aws:username}",
    ]
  }

  statement {
    sid    = "AllowIndividualUserToManageTheirMFA"
    effect = "Allow"

    actions = [
      "iam:CreateVirtualMFADevice",
      "iam:DeactivateMFADevice",
      "iam:DeleteVirtualMFADevice",
      "iam:EnableMFADevice",
      "iam:ResyncMFADevice",
    ]

    resources = [
      "arn:aws:iam::${var.account_id}:mfa/&{aws:username}",
      "arn:aws:iam::${var.account_id}:user/&{aws:username}",
    ]
  }

  statement {
    sid       = "AllowGettingAnSTSToken"
    effect    = "Allow"
    actions   = ["sts:GetSessionToken"]
    resources = ["*"]

    condition {
      test     = "Bool"
      variable = "aws:MultiFactorAuthPresent"
      values   = ["true"]
    }
  }

  statement {
    sid    = "AllowUserToManageTheirOwnAccessKeys"
    effect = "Allow"

    actions = [
      "iam:CreateAccessKey",
      "iam:DeleteAccessKey",
      "iam:GetAccessKeyLastUsed",
      "iam:ListAccessKeys",
      "iam:UpdateAccessKey",
    ]

    resources = ["arn:aws:iam::${var.account_id}:user/&{aws:username}"]

    condition {
      test     = "Bool"
      variable = "aws:MultiFactorAuthPresent"
      values   = ["true"]
    }
  }

  statement {
    sid    = "DoNotAllowAnythingOtherThanAboveUnlessMFAd"
    effect = "Deny"

    not_actions = [
      "iam:ListAccountAliases",
      "iam:ListUsers",
      "iam:ChangePassword",
      "iam:CreateLoginProfile",
      "iam:DeleteLoginProfile",
      "iam:GetAccountPasswordPolicy",
      "iam:GetAccountSummary",
      "iam:GetLoginProfile",
      "iam:UpdateLoginProfile",
      "iam:ListVirtualMFADevices",
      "iam:ListMFADevices",
      "iam:CreateVirtualMFADevice",
      "iam:DeactivateMFADevice",
      "iam:DeleteVirtualMFADevice",
      "iam:EnableMFADevice",
      "iam:ResyncMFADevice",
    ]

    resources = ["*"]

    condition {
      test     = "Null"
      variable = "aws:MultiFactorAuthAge"
      values   = ["true"]
    }
  }
}
	# IAM policy for all users that requires MFA
	data "aws_iam_policy_document" "require_mfa_policy" {
	statement {
	sid = "AllowAllUsersToListAccounts"
	effect = "Allow"

	actions = [
	"iam:ListAccountAliases",
	"iam:ListUsers",
	]

	resources = [
	"arn:aws:iam::${var.account_id}:user/*",
	]
	}

	statement {
	sid = "AllowIndividualUserToSeeTheirAccountInformation"
	effect = "Allow"

	actions = [
	"iam:ChangePassword",
	"iam:CreateLoginProfile",
	"iam:DeleteLoginProfile",
	"iam:GetAccountPasswordPolicy",
	"iam:GetAccountSummary",
	"iam:GetLoginProfile",
	"iam:UpdateLoginProfile",
	]

	resources = [
	"arn:aws:iam::${var.account_id}:user/&{aws:username}",
	]
	}

	statement {
	sid = "AllowIndividualUserToListTheirMFA"
	effect = "Allow"

	actions = [
	"iam:ListVirtualMFADevices",
	"iam:ListMFADevices",
	]

	resources = [
	"arn:aws:iam::${var.account_id}:mfa/*",
	"arn:aws:iam::${var.account_id}:user/&{aws:username}",
	]
	}

	statement {
	sid = "AllowIndividualUserToManageTheirMFA"
	effect = "Allow"

	actions = [
	"iam:CreateVirtualMFADevice",
	"iam:DeactivateMFADevice",
	"iam:DeleteVirtualMFADevice",
	"iam:EnableMFADevice",
	"iam:ResyncMFADevice",
	]

	resources = [
	"arn:aws:iam::${var.account_id}:mfa/&{aws:username}",
	"arn:aws:iam::${var.account_id}:user/&{aws:username}",
	]
	}

	statement {
	sid = "AllowGettingAnSTSToken"
	effect = "Allow"
	actions = ["sts:GetSessionToken"]
	resources = ["*"]

	condition {
	test = "Bool"
	variable = "aws:MultiFactorAuthPresent"
	values = ["true"]
	}
	}

	statement {
	sid = "AllowUserToManageTheirOwnAccessKeys"
	effect = "Allow"

	actions = [
	"iam:CreateAccessKey",
	"iam:DeleteAccessKey",
	"iam:GetAccessKeyLastUsed",
	"iam:ListAccessKeys",
	"iam:UpdateAccessKey",
	]

	resources = ["arn:aws:iam::${var.account_id}:user/&{aws:username}"]

	condition {
	test = "Bool"
	variable = "aws:MultiFactorAuthPresent"
	values = ["true"]
	}
	}

	statement {
	sid = "DoNotAllowAnythingOtherThanAboveUnlessMFAd"
	effect = "Deny"

	not_actions = [
	"iam:ListAccountAliases",
	"iam:ListUsers",
	"iam:ChangePassword",
	"iam:CreateLoginProfile",
	"iam:DeleteLoginProfile",
	"iam:GetAccountPasswordPolicy",
	"iam:GetAccountSummary",
	"iam:GetLoginProfile",
	"iam:UpdateLoginProfile",
	"iam:ListVirtualMFADevices",
	"iam:ListMFADevices",
	"iam:CreateVirtualMFADevice",
	"iam:DeactivateMFADevice",
	"iam:DeleteVirtualMFADevice",
	"iam:EnableMFADevice",
	"iam:ResyncMFADevice",
	]

	resources = ["*"]

	condition {
	test = "Null"
	variable = "aws:MultiFactorAuthAge"
	values = ["true"]
	}
	}
	}