Require MFA, but not for programmatic access
If you are looking for a way to enforce MFA for users when they log in to the console without limiting their programmatic access, look no further! Attach this policy to users to cut off all their access until they have logged in with MFA. Bonus points here because using this policy, the user is able to log in and configure their MFA on their own! Once MFA has been configured, the user will have to log out, and then back in again with their MFA token.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAllUsersToListAccounts",
"Effect": "Allow",
"Action": [
"iam:ListAccountAliases",
"iam:GetAccountPasswordPolicy",
"iam:ListUsers"
],
"Resource": [
"*"
]
},
{
"Sid": "AllowIndividualUserToSeeTheirAccountInformation",
"Effect": "Allow",
"Action": [
"iam:ChangePassword",
"iam:CreateLoginProfile",
"iam:DeleteLoginProfile",
"iam:GetAccountSummary",
"iam:GetLoginProfile",
"iam:UpdateLoginProfile"
],
"Resource": [
"arn:aws:iam::YOUR_ACCOUNT_ID:user/${aws:username}"
]
},
{
"Sid": "AllowIndividualUserToListTheirMFA",
"Effect": "Allow",
"Action": [
"iam:ListVirtualMFADevices",
"iam:ListMFADevices"
],
"Resource": [
"arn:aws:iam::YOUR_ACCOUNT_ID:mfa/*",
"arn:aws:iam::YOUR_ACCOUNT_ID:user/${aws:username}"
]
},
{
"Sid": "AllowIndividualUserToManageThierMFA",
"Effect": "Allow",
"Action": [
"iam:CreateVirtualMFADevice",
"iam:DeactivateMFADevice",
"iam:DeleteVirtualMFADevice",
"iam:EnableMFADevice",
"iam:ResyncMFADevice"
],
"Resource": [
"arn:aws:iam::YOUR_ACCOUNT_ID:mfa/${aws:username}",
"arn:aws:iam::YOUR_ACCOUNT_ID:user/${aws:username}"
]
},
{
"Sid": "DenyEverythingExceptForBelowUnlessMFAd",
"Effect": "Deny",
"NotAction": [
"iam:ListVirtualMFADevices",
"iam:ListMFADevices",
"iam:ListUsers",
"iam:ListAccountAliases",
"iam:CreateVirtualMFADevice",
"iam:DeactivateMFADevice",
"iam:DeleteVirtualMFADevice",
"iam:EnableMFADevice",
"iam:ResyncMFADevice",
"iam:ChangePassword",
"iam:CreateLoginProfile",
"iam:DeleteLoginProfile",
"iam:GetAccountPasswordPolicy",
"iam:GetAccountSummary",
"iam:GetLoginProfile",
"iam:UpdateLoginProfile"
],
"Resource": "*",
"Condition": {
"Bool": {
"aws:MultiFactorAuthPresent": "false"
}
}
},
{
"Sid": "DenyIamAccessToOtherAccountsUnlessMFAd",
"Effect": "Deny",
"Action": [
"iam:CreateVirtualMFADevice",
"iam:DeactivateMFADevice",
"iam:DeleteVirtualMFADevice",
"iam:EnableMFADevice",
"iam:ResyncMFADevice",
"iam:ChangePassword",
"iam:CreateLoginProfile",
"iam:DeleteLoginProfile",
"iam:GetAccountSummary",
"iam:GetLoginProfile",
"iam:UpdateLoginProfile"
],
"NotResource": [
"arn:aws:iam::YOUR_ACCOUNT_ID:mfa/${aws:username}",
"arn:aws:iam::YOUR_ACCOUNT_ID:user/${aws:username}"
],
"Condition": {
"Bool": {
"aws:MultiFactorAuthPresent": "false"
}
}
}
]
}
3
Kudos
3
Kudos