Require MFA, but not for programmatic access

If you are looking for a way to enforce MFA for users when they log in to the console without limiting their programmatic access, look no further! Attach this policy to users to cut off all their access until they have logged in with MFA. Bonus points here because using this policy, the user is able to log in and configure their MFA on their own! Once MFA has been configured, the user will have to log out, and then back in again with their MFA token.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowAllUsersToListAccounts",
            "Effect": "Allow",
            "Action": [
                "iam:ListAccountAliases",
                "iam:GetAccountPasswordPolicy",
                "iam:ListUsers"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "AllowIndividualUserToSeeTheirAccountInformation",
            "Effect": "Allow",
            "Action": [
                "iam:ChangePassword",
                "iam:CreateLoginProfile",
                "iam:DeleteLoginProfile",
                "iam:GetAccountSummary",
                "iam:GetLoginProfile",
                "iam:UpdateLoginProfile"
            ],
            "Resource": [
                "arn:aws:iam::YOUR_ACCOUNT_ID:user/${aws:username}"
            ]
        },
        {
            "Sid": "AllowIndividualUserToListTheirMFA",
            "Effect": "Allow",
            "Action": [
                "iam:ListVirtualMFADevices",
                "iam:ListMFADevices"
            ],
            "Resource": [
                "arn:aws:iam::YOUR_ACCOUNT_ID:mfa/*",
                "arn:aws:iam::YOUR_ACCOUNT_ID:user/${aws:username}"
            ]
        },
        {
            "Sid": "AllowIndividualUserToManageThierMFA",
            "Effect": "Allow",
            "Action": [
                "iam:CreateVirtualMFADevice",
                "iam:DeactivateMFADevice",
                "iam:DeleteVirtualMFADevice",
                "iam:EnableMFADevice",
                "iam:ResyncMFADevice"
            ],
            "Resource": [
                "arn:aws:iam::YOUR_ACCOUNT_ID:mfa/${aws:username}",
                "arn:aws:iam::YOUR_ACCOUNT_ID:user/${aws:username}"
            ]
        },
        {
            "Sid": "DenyEverythingExceptForBelowUnlessMFAd",
            "Effect": "Deny",
            "NotAction": [
                "iam:ListVirtualMFADevices",
                "iam:ListMFADevices",
                "iam:ListUsers",
                "iam:ListAccountAliases",
                "iam:CreateVirtualMFADevice",
                "iam:DeactivateMFADevice",
                "iam:DeleteVirtualMFADevice",
                "iam:EnableMFADevice",
                "iam:ResyncMFADevice",
                "iam:ChangePassword",
                "iam:CreateLoginProfile",
                "iam:DeleteLoginProfile",
                "iam:GetAccountPasswordPolicy",
                "iam:GetAccountSummary",
                "iam:GetLoginProfile",
                "iam:UpdateLoginProfile"
            ],
            "Resource": "*",
            "Condition": {
                "Bool": {
                    "aws:MultiFactorAuthPresent": "false"
                }
            }
        },
        {
            "Sid": "DenyIamAccessToOtherAccountsUnlessMFAd",
            "Effect": "Deny",
            "Action": [
                "iam:CreateVirtualMFADevice",
                "iam:DeactivateMFADevice",
                "iam:DeleteVirtualMFADevice",
                "iam:EnableMFADevice",
                "iam:ResyncMFADevice",
                "iam:ChangePassword",
                "iam:CreateLoginProfile",
                "iam:DeleteLoginProfile",
                "iam:GetAccountSummary",
                "iam:GetLoginProfile",
                "iam:UpdateLoginProfile"
            ],
            "NotResource": [
                "arn:aws:iam::YOUR_ACCOUNT_ID:mfa/${aws:username}",
                "arn:aws:iam::YOUR_ACCOUNT_ID:user/${aws:username}"
            ],
            "Condition": {
                "Bool": {
                    "aws:MultiFactorAuthPresent": "false"
                }
            }
        }
    ]
}
 
3
Kudos
 
3
Kudos

Now read this

AutoPkg Overrides

So now that AutoPkg is setup for use with munki, we can create overrides to (just guess) override the default values in our recipes. In my last article, I gave this as an example - The following new items were downloaded:... Continue →