Skip to main content
 首页 » 编程设计

amazon-web-services之为 AWS 控制台登录而不是 API 调用强制执行 MFA

2024年12月31日10shangdawei

我希望强制所有 IAM 用户(本地和远程)启用和激活他们的 MFA 设备。
我希望他们都能让 MFA 完成各自的任务。
我正在尝试以下政策

{ 
      "Effect": "Allow", 
      "Action": "*", 
      "Resource": "*", 
      "Condition": {"Bool": {"aws:MultiFactorAuthPresent": "true"}} 
} 
然而;无论您通过控制台或 API 访问服务的方式如何,此政策均适用。
所有用户都完成了大量自动化,并且由于未暗示 MFA 身份验证,因此他们的自动化中断。
作为第一步,我们希望大家至少启用 MFA 进行控制台登录;但同样不应强制他们将 MFA 用于自动化中使用的 API 调用。
这是否可以通过 IAM 政策实现?
谢谢

请您参考如下方法:

诀窍是反转检查......而不是仅在 aws:MultiFactorAuthPresent 为真时才允许,如果为假则拒绝。
这是自助 MFA 管理的文档:http://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_users-self-manage-mfa-and-creds.html
那里建议的完整政策是:

{ 
    "Version": "2012-10-17", 
    "Statement":[ 
        { 
            "Sid": "AllowAllUsersToListAccounts", 
            "Effect": "Allow", 
            "Action":[ 
                "iam:ListAccountAliases", 
                "iam:ListUsers", 
                "iam:GetAccountSummary" 
            ], 
            "Resource": "*" 
        }, 
        { 
            "Sid": "AllowIndividualUserToSeeAndManageTheirOwnAccountInformation", 
            "Effect": "Allow", 
            "Action":[ 
                "iam:ChangePassword", 
                "iam:CreateAccessKey", 
                "iam:CreateLoginProfile", 
                "iam:DeleteAccessKey", 
                "iam:DeleteLoginProfile", 
                "iam:GetAccountPasswordPolicy", 
                "iam:GetLoginProfile", 
                "iam:ListAccessKeys", 
                "iam:UpdateAccessKey", 
                "iam:UpdateLoginProfile", 
                "iam:ListSigningCertificates", 
                "iam:DeleteSigningCertificate", 
                "iam:UpdateSigningCertificate", 
                "iam:UploadSigningCertificate", 
                "iam:ListSSHPublicKeys", 
                "iam:GetSSHPublicKey", 
                "iam:DeleteSSHPublicKey", 
                "iam:UpdateSSHPublicKey", 
                "iam:UploadSSHPublicKey" 
            ], 
            "Resource": "arn:aws:iam::accountid:user/${aws:username}" 
        }, 
        { 
            "Sid": "AllowIndividualUserToListTheirOwnMFA", 
            "Effect": "Allow", 
            "Action":[ 
                "iam:ListVirtualMFADevices", 
                "iam:ListMFADevices" 
            ], 
            "Resource":[ 
                "arn:aws:iam::accountid:mfa/*", 
                "arn:aws:iam::accountid:user/${aws:username}" 
            ] 
        }, 
        { 
            "Sid": "AllowIndividualUserToManageTheirOwnMFA", 
            "Effect": "Allow", 
            "Action":[ 
                "iam:CreateVirtualMFADevice", 
                "iam:DeactivateMFADevice", 
                "iam:DeleteVirtualMFADevice", 
                "iam:RequestSmsMfaRegistration", 
                "iam:FinalizeSmsMfaRegistration", 
                "iam:EnableMFADevice", 
                "iam:ResyncMFADevice" 
            ], 
            "Resource":[ 
                "arn:aws:iam::accountid:mfa/${aws:username}", 
                "arn:aws:iam::accountid:user/${aws:username}" 
            ] 
        }, 
        { 
            "Sid": "BlockAnyAccessOtherThanAboveUnlessSignedInWithMFA", 
            "Effect": "Deny", 
            "NotAction": "iam:*", 
            "Resource": "*", 
            "Condition":{ 
                "BoolIfExists":{ "aws:MultiFactorAuthPresent": "false"} 
            } 
        } 
    ] 
} 
最重要的部分是最后一个语句,它进行否认。如果你改成这样:
{ 
    "Sid": "BlockAnyAccessOtherThanAboveUnlessSignedInWithMFA", 
    "Effect": "Deny", 
    "NotAction": "iam:*", 
    "Resource": "*", 
    "Condition":{ 
        "Bool":{ "aws:MultiFactorAuthPresent": "false"} 
    } 
} 
(BoolIfExists 改为 Bool)它将允许 IAM 访问 key 绕过 MFA 的要求,同时仍然要求您在通过 AWS 控制台登录时使用 MFA。 ( 注意 :这不适用于所有 API;某些 API,例如 ECR,始终提供“MultiFactorAuthPresent”属性,这会破坏此解决方法)
如果您决定使用文档中的完整策略,请务必小心。请注意,它允许用户创建访问 key 并更改其密码,并且 deny 子句仅阻止非 IAM 操作……这意味着,如果某个帐户的 MFA 被禁用,则用户的密码可能会被更改或新的访问 key 可以在没有 MFA 检查的情况下进行配置,如果您进行了 Bool 更改,这些新的访问 key 将能够访问用户有权访问的任何内容,而无需 MFA。即,不安全 key 的所有安全漏洞,以及一些帐户劫持的可能性。
我建议使用类似于此的策略:
注意:由于评论 中提到的安全问题,不应逐字使用此策略。
{ 
    "Version": "2012-10-17", 
    "Statement": [ 
        { 
            "Sid": "AllowAllUsersToListAccounts", 
            "Effect": "Allow", 
            "Action": [ 
                "iam:ListAccountAliases", 
                "iam:ListUsers" 
            ], 
            "Resource": [ 
                "arn:aws:iam::accountid:user/*" 
            ] 
        }, 
        { 
            "Sid": "AllowIndividualUserToSeeTheirAccountInformation", 
            "Effect": "Allow", 
            "Action": [ 
                "iam:GetAccountPasswordPolicy", 
                "iam:GetAccountSummary", 
                "iam:GetLoginProfile" 
            ], 
            "Resource": [ 
                "arn:aws:iam::accountid:user/${aws:username}" 
            ] 
        }, 
        { 
            "Sid": "AllowIndividualUserToListTheirMFA", 
            "Effect": "Allow", 
            "Action": [ 
                "iam:ListVirtualMFADevices", 
                "iam:ListMFADevices" 
            ], 
            "Resource": [ 
                "arn:aws:iam::accountid:mfa/*", 
                "arn:aws:iam::accountid:user/${aws:username}" 
            ] 
        }, 
        { 
            "Sid": "AllowIndividualUserToManageThierMFA", 
            "Effect": "Allow", 
            "Action": [ 
                "iam:CreateVirtualMFADevice", 
                "iam:DeactivateMFADevice", 
                "iam:DeleteVirtualMFADevice", 
                "iam:EnableMFADevice", 
                "iam:ResyncMFADevice" 
            ], 
            "Resource": [ 
                "arn:aws:iam::accountid:mfa/${aws:username}", 
                "arn:aws:iam::accountid:user/${aws:username}" 
            ] 
        }, 
        { 
            "Sid": "DoNotAllowAnythingOtherThanAboveUnlessMFAd", 
            "Effect": "Deny", 
            "NotAction": "iam:*", 
            "Resource": "*", 
            "Condition": { 
                "Bool": { 
                    "aws:MultiFactorAuthPresent": "false" 
                } 
            } 
        } 
    ] 
}