我希望强制所有 IAM 用户(本地和远程)启用和激活他们的 MFA 设备。
我正在尝试以下策略
{
"Effect": "Allow",
"Action": "*",
"Resource": "*",
"Condition": {"Bool": {"aws:MultiFactorAuthPresent": "true"}}
}
但是,无论您如何通过控制台或 API 访问服务,此策略都适用。
所有用户都完成了很多自动化,他们的自动化中断了,因为没有暗示 MFA 身份验证。
作为第一步,我们希望每个人都至少为控制台登录启用 MFA;但同样不应该强制他们将 MFA 用于自动化中使用的 API 调用。
这是否可以通过 IAM 策略实现?
谢谢
诀窍是反向检查...而不是只允许如果 aws:MultiFactorAuthPresent 是真的,否认它是假的。
以下是关于自助 MFA 管理的文档:http://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_users-self-manage-mfa-and-creds.html
建议的完整政策是:
{
"Version": "2012-10-17",
"Statement":[
{
"Sid": "AllowAllUsersToListAccounts",
"Effect": "Allow",
"Action":[
"iam:ListAccountAliases",
"iam:ListUsers",
"iam:GetAccountSummary"
],
"Resource": "*"
},
{
"Sid": "AllowIndividualUserToSeeAndManageTheirOwnAccountInformation",
"Effect": "Allow",
"Action":[
"iam:ChangePassword",
"iam:CreateAccessKey",
"iam:CreateLoginProfile",
"iam:DeleteAccessKey",
"iam:DeleteLoginProfile",
"iam:GetAccountPasswordPolicy",
"iam:GetLoginProfile",
"iam:ListAccessKeys",
"iam:UpdateAccessKey",
"iam:UpdateLoginProfile",
"iam:ListSigningCertificates",
"iam:DeleteSigningCertificate",
"iam:UpdateSigningCertificate",
"iam:UploadSigningCertificate",
"iam:ListSSHPublicKeys",
"iam:GetSSHPublicKey",
"iam:DeleteSSHPublicKey",
"iam:UpdateSSHPublicKey",
"iam:UploadSSHPublicKey"
],
"Resource": "arn:aws:iam::accountid:user/${aws:username}"
},
{
"Sid": "AllowIndividualUserToListTheirOwnMFA",
"Effect": "Allow",
"Action":[
"iam:ListVirtualMFADevices",
"iam:ListMFADevices"
],
"Resource":[
"arn:aws:iam::accountid:mfa/*",
"arn:aws:iam::accountid:user/${aws:username}"
]
},
{
"Sid": "AllowIndividualUserToManageTheirOwnMFA",
"Effect": "Allow",
"Action":[
"iam:CreateVirtualMFADevice",
"iam:DeactivateMFADevice",
"iam:DeleteVirtualMFADevice",
"iam:RequestSmsMfaRegistration",
"iam:FinalizeSmsMfaRegistration",
"iam:EnableMFADevice",
"iam:ResyncMFADevice"
],
"Resource":[
"arn:aws:iam::accountid:mfa/${aws:username}",
"arn:aws:iam::accountid:user/${aws:username}"
]
},
{
"Sid": "BlockAnyAccessOtherThanAboveUnlessSignedInWithMFA",
"Effect": "Deny",
"NotAction": "iam:*",
"Resource": "*",
"Condition":{
"BoolIfExists":{ "aws:MultiFactorAuthPresent": "false"}
}
}
]
}
最重要的部分是最后一个语句,它拒绝。
{
"Sid": "BlockAnyAccessOtherThanAboveUnlessSignedInWithMFA",
"Effect": "Deny",
"NotAction": "iam:*",
"Resource": "*",
"Condition":{
"Bool":{ "aws:MultiFactorAuthPresent": "false"}
}
}
(BoolIfExists 更改为 Bool)它将允许 IAM 访问密钥绕过 MFA 的要求,同时仍要求您在通过 AWS 控制台登录时使用 MFA。(注意:这不适用于所有 API;有些(例如 ECR)始终提供“MultiFactorAuthPresent”属性,这会此解决方法)
请注意,它允许用户创建访问密钥并更改其密码,而 deny 子句仅阻止非 IAM 操作...这意味着,如果在某个账户上禁用了 MFA,则无需 MFA 检查即可更改用户的密码或预配新的访问密钥,如果您进行了 Bool 更改,则这些新的访问密钥将能够访问用户拥有的所有安全密钥。
我建议使用类似的政策来代替:
注意:由于注释中提到的安全问题,不应逐字使用此策略
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAllUsersToListAccounts",
"Effect": "Allow",
"Action": [
"iam:ListAccountAliases",
"iam:ListUsers"
],
"Resource": [
"arn:aws:iam::accountid:user/*"
]
},
{
"Sid": "AllowIndividualUserToSeeTheirAccountInformation",
"Effect": "Allow",
"Action": [
"iam:GetAccountPasswordPolicy",
"iam:GetAccountSummary",
"iam:GetLoginProfile"
],
"Resource": [
"arn:aws:iam::accountid:user/${aws:username}"
]
},
{
"Sid": "AllowIndividualUserToListTheirMFA",
"Effect": "Allow",
"Action": [
"iam:ListVirtualMFADevices",
"iam:ListMFADevices"
],
"Resource": [
"arn:aws:iam::accountid:mfa/*",
"arn:aws:iam::accountid:user/${aws:username}"
]
},
{
"Sid": "AllowIndividualUserToManageThierMFA",
"Effect": "Allow",
"Action": [
"iam:CreateVirtualMFADevice",
"iam:DeactivateMFADevice",
"iam:DeleteVirtualMFADevice",
"iam:EnableMFADevice",
"iam:ResyncMFADevice"
],
"Resource": [
"arn:aws:iam::accountid:mfa/${aws:username}",
"arn:aws:iam::accountid:user/${aws:username}"
]
},
{
"Sid": "DoNotAllowAnythingOtherThanAboveUnlessMFAd",
"Effect": "Deny",
"NotAction": "iam:*",
"Resource": "*",
"Condition": {
"Bool": {
"aws:MultiFactorAuthPresent": "false"
}
}
}
]
}
为每个人创建 2 个 IAM 用户:
一个用于强制执行 MFA 的 AWS 控制台登录,以及
一个用于没有密码且不强制 MFA 的 API 使用
为后代发布。我尝试使用 Josh Han 发布的方法,但来自强制控制台 MFA 账户的 api 调用对于某些 AWS 服务如弹性文件系统和某些 s3 api 调用失败。当引发支持票时,来自 AWS 的响应是,“有一个针对此精确问题的功能请求,因为目前没有可靠的机制来强制 MFA 仅用于控制台。我已将您的账户添加到请求其他用户的 MFA 工作账户列表中。
我有一个不同的解决方案。我有一个“ForceMFA”组,它不允许你做任何事情 (除了分配 MFA),除非你启用了 MFA。我有一个小脚本,每小时运行一次,扫描所有用户,并将任何没有 MFA 的用户添加到“ForceMFA”组中。同样的脚本也从组中删除启用了 MFA 的用户。这样,我强制人们启用 MFA,但不需要 MFA
是我使用的小 Powershell 6 脚本:https://gist.github.com/kalpik/36beffd25bda2a0c38905176f7e557aa
本站系公益性非盈利分享网址,本文来自用户投稿,不代表码文网立场,如若转载,请注明出处
评论列表(3条)