我希望强制所有 IAM 用户(本地和远程)启用和激活他们的 MFA 设备。
我希望他们都能让 MFA 完成各自的任务。
我正在尝试以下政策
{
"Effect": "Allow",
"Action": "*",
"Resource": "*",
"Condition": {"Bool": {"aws:MultiFactorAuthPresent": "true"}}
}
然而;无论您通过控制台或 API 访问服务的方式如何,此政策均适用。
所有用户都完成了大量自动化,并且由于未暗示 MFA 身份验证,因此他们的自动化中断。
作为第一步,我们希望大家至少启用 MFA 进行控制台登录;但同样不应强制他们将 MFA 用于自动化中使用的 API 调用。
这是否可以通过 IAM 政策实现?
谢谢
请您参考如下方法:
诀窍是反转检查......而不是仅在 aws:MultiFactorAuthPresent 为真时才允许,如果为假则拒绝。
这是自助 MFA 管理的文档:http://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_users-self-manage-mfa-and-creds.html
那里建议的完整政策是:
{
"Version": "2012-10-17",
"Statement":[
{
"Sid": "AllowAllUsersToListAccounts",
"Effect": "Allow",
"Action":[
"iam:ListAccountAliases",
"iam:ListUsers",
"iam:GetAccountSummary"
],
"Resource": "*"
},
{
"Sid": "AllowIndividualUserToSeeAndManageTheirOwnAccountInformation",
"Effect": "Allow",
"Action":[
"iam:ChangePassword",
"iam:CreateAccessKey",
"iam:CreateLoginProfile",
"iam:DeleteAccessKey",
"iam:DeleteLoginProfile",
"iam:GetAccountPasswordPolicy",
"iam:GetLoginProfile",
"iam:ListAccessKeys",
"iam:UpdateAccessKey",
"iam:UpdateLoginProfile",
"iam:ListSigningCertificates",
"iam:DeleteSigningCertificate",
"iam:UpdateSigningCertificate",
"iam:UploadSigningCertificate",
"iam:ListSSHPublicKeys",
"iam:GetSSHPublicKey",
"iam:DeleteSSHPublicKey",
"iam:UpdateSSHPublicKey",
"iam:UploadSSHPublicKey"
],
"Resource": "arn:aws:iam::accountid:user/${aws:username}"
},
{
"Sid": "AllowIndividualUserToListTheirOwnMFA",
"Effect": "Allow",
"Action":[
"iam:ListVirtualMFADevices",
"iam:ListMFADevices"
],
"Resource":[
"arn:aws:iam::accountid:mfa/*",
"arn:aws:iam::accountid:user/${aws:username}"
]
},
{
"Sid": "AllowIndividualUserToManageTheirOwnMFA",
"Effect": "Allow",
"Action":[
"iam:CreateVirtualMFADevice",
"iam:DeactivateMFADevice",
"iam:DeleteVirtualMFADevice",
"iam:RequestSmsMfaRegistration",
"iam:FinalizeSmsMfaRegistration",
"iam:EnableMFADevice",
"iam:ResyncMFADevice"
],
"Resource":[
"arn:aws:iam::accountid:mfa/${aws:username}",
"arn:aws:iam::accountid:user/${aws:username}"
]
},
{
"Sid": "BlockAnyAccessOtherThanAboveUnlessSignedInWithMFA",
"Effect": "Deny",
"NotAction": "iam:*",
"Resource": "*",
"Condition":{
"BoolIfExists":{ "aws:MultiFactorAuthPresent": "false"}
}
}
]
}
最重要的部分是最后一个语句,它进行否认。如果你改成这样:
{
"Sid": "BlockAnyAccessOtherThanAboveUnlessSignedInWithMFA",
"Effect": "Deny",
"NotAction": "iam:*",
"Resource": "*",
"Condition":{
"Bool":{ "aws:MultiFactorAuthPresent": "false"}
}
}
(BoolIfExists 改为 Bool)它将允许 IAM 访问 key 绕过 MFA 的要求,同时仍然要求您在通过 AWS 控制台登录时使用 MFA。 (
注意 :这不适用于所有 API;某些 API,例如 ECR,始终提供“MultiFactorAuthPresent”属性,这会破坏此解决方法)
如果您决定使用文档中的完整策略,请务必小心。请注意,它允许用户创建访问 key 并更改其密码,并且 deny 子句仅阻止非 IAM 操作……这意味着,如果某个帐户的 MFA 被禁用,则用户的密码可能会被更改或新的访问 key 可以在没有 MFA 检查的情况下进行配置,如果您进行了 Bool 更改,这些新的访问 key 将能够访问用户有权访问的任何内容,而无需 MFA。即,不安全 key 的所有安全漏洞,以及一些帐户劫持的可能性。
我建议使用类似于此的策略:
注意:由于评论 中提到的安全问题,不应逐字使用此策略。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAllUsersToListAccounts",
"Effect": "Allow",
"Action": [
"iam:ListAccountAliases",
"iam:ListUsers"
],
"Resource": [
"arn:aws:iam::accountid:user/*"
]
},
{
"Sid": "AllowIndividualUserToSeeTheirAccountInformation",
"Effect": "Allow",
"Action": [
"iam:GetAccountPasswordPolicy",
"iam:GetAccountSummary",
"iam:GetLoginProfile"
],
"Resource": [
"arn:aws:iam::accountid:user/${aws:username}"
]
},
{
"Sid": "AllowIndividualUserToListTheirMFA",
"Effect": "Allow",
"Action": [
"iam:ListVirtualMFADevices",
"iam:ListMFADevices"
],
"Resource": [
"arn:aws:iam::accountid:mfa/*",
"arn:aws:iam::accountid:user/${aws:username}"
]
},
{
"Sid": "AllowIndividualUserToManageThierMFA",
"Effect": "Allow",
"Action": [
"iam:CreateVirtualMFADevice",
"iam:DeactivateMFADevice",
"iam:DeleteVirtualMFADevice",
"iam:EnableMFADevice",
"iam:ResyncMFADevice"
],
"Resource": [
"arn:aws:iam::accountid:mfa/${aws:username}",
"arn:aws:iam::accountid:user/${aws:username}"
]
},
{
"Sid": "DoNotAllowAnythingOtherThanAboveUnlessMFAd",
"Effect": "Deny",
"NotAction": "iam:*",
"Resource": "*",
"Condition": {
"Bool": {
"aws:MultiFactorAuthPresent": "false"
}
}
}
]
}