Require MFA, but not for programmatic access

If you are looking for a way to enforce MFA for users when they log in to the console without limiting their programmatic access, look no further! Attach this policy to users to cut off all their access until they have logged in with MFA. Bonus points here because using this policy, the user is able to log in and configure their MFA on their own! Once MFA has been configured, the user will have to log out, and then back in again with their MFA token.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowAllUsersToListAccounts",
            "Effect": "Allow",
            "Action": [
                "iam:ListAccountAliases",
                "iam:GetAccountPasswordPolicy",
                "iam:ListUsers"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "AllowIndividualUserToSeeTheirAccountInformation",
            "Effect": "Allow",
            "Action": [
                "iam:ChangePassword",
                "iam:CreateLoginProfile",
                "iam:DeleteLoginProfile",
                "iam:GetAccountSummary",
                "iam:GetLoginProfile",
                "iam:UpdateLoginProfile"
            ],
            "Resource": [
                "arn:aws:iam::YOUR_ACCOUNT_ID:user/${aws:username}"
            ]
        },
        {
            "Sid": "AllowIndividualUserToListTheirMFA",
            "Effect": "Allow",
            "Action": [
                "iam:ListVirtualMFADevices",
                "iam:ListMFADevices"
            ],
            "Resource": [
                "arn:aws:iam::YOUR_ACCOUNT_ID:mfa/*",
                "arn:aws:iam::YOUR_ACCOUNT_ID:user/${aws:username}"
            ]
        },
        {
            "Sid": "AllowIndividualUserToManageThierMFA",
            "Effect": "Allow",
            "Action": [
                "iam:CreateVirtualMFADevice",
                "iam:DeactivateMFADevice",
                "iam:DeleteVirtualMFADevice",
                "iam:EnableMFADevice",
                "iam:ResyncMFADevice"
            ],
            "Resource": [
                "arn:aws:iam::YOUR_ACCOUNT_ID:mfa/${aws:username}",
                "arn:aws:iam::YOUR_ACCOUNT_ID:user/${aws:username}"
            ]
        },
        {
            "Sid": "DenyEverythingExceptForBelowUnlessMFAd",
            "Effect": "Deny",
            "NotAction": [
                "iam:ListVirtualMFADevices",
                "iam:ListMFADevices",
                "iam:ListUsers",
                "iam:ListAccountAliases",
                "iam:CreateVirtualMFADevice",
                "iam:DeactivateMFADevice",
                "iam:DeleteVirtualMFADevice",
                "iam:EnableMFADevice",
                "iam:ResyncMFADevice",
                "iam:ChangePassword",
                "iam:CreateLoginProfile",
                "iam:DeleteLoginProfile",
                "iam:GetAccountPasswordPolicy",
                "iam:GetAccountSummary",
                "iam:GetLoginProfile",
                "iam:UpdateLoginProfile"
            ],
            "Resource": "*",
            "Condition": {
                "Bool": {
                    "aws:MultiFactorAuthPresent": "false"
                }
            }
        },
        {
            "Sid": "DenyIamAccessToOtherAccountsUnlessMFAd",
            "Effect": "Deny",
            "Action": [
                "iam:CreateVirtualMFADevice",
                "iam:DeactivateMFADevice",
                "iam:DeleteVirtualMFADevice",
                "iam:EnableMFADevice",
                "iam:ResyncMFADevice",
                "iam:ChangePassword",
                "iam:CreateLoginProfile",
                "iam:DeleteLoginProfile",
                "iam:GetAccountSummary",
                "iam:GetLoginProfile",
                "iam:UpdateLoginProfile"
            ],
            "NotResource": [
                "arn:aws:iam::YOUR_ACCOUNT_ID:mfa/${aws:username}",
                "arn:aws:iam::YOUR_ACCOUNT_ID:user/${aws:username}"
            ],
            "Condition": {
                "Bool": {
                    "aws:MultiFactorAuthPresent": "false"
                }
            }
        }
    ]
}
 
3
Kudos
 
3
Kudos

Now read this

ext_conf and its uses with omnibus!

So I’ve mentioned in the past that I was struggling to integrate kitchen-cabinet with omnibus tools like chef (or chefdk). My old solution was to do this: def self.chef_check if File.exist?('/opt/chef') ENV['GEM_HOME'] =... Continue →