It quite obvious nowadays that you must use MFA if it's available.
Enabling MFA for your user account in AWS IAM will automatically enforce it for the AWS Web UI login.
But what about AWS CLI, your code using AWS SDK and 3d party SDK based tools?
In this case, to leverage MFA you need to enforce it using "Condition" statement for the IAM policy assigned to you user as it described in following AWS manual:
https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-role.html
In nutshell something like this:
Enforce MFA for the assume role:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::123456789012:user/anika" }, "Action": "sts:AssumeRole", "Condition": { "Bool": { "aws:multifactorAuthPresent": true } } } ] }
Add MFA to you AWS CLI profile:
[profile role-with-mfa] region = us-west-2 role_arn= arn:aws:iam::128716708097:role/cli-role source_profile = cli-user mfa_serial = arn:aws:iam::128716708097:mfa/cli-user
Simple? Not exactly - here some tricky things that not covered by AWS documentation (at least I was not able to find).
1. AWS documentation a bit misleading: in the AIM statement and documentation user name mentioned is Anika but all CLI configs are pointing to the non existing cli profile "cli-user"
2. AWS CLI MFA configuration will work ONLY when you are assuming Role. Yep, if you have one simple account, few users and groups (as many small companies do) you can't leverage this functionality without some small trick(item 3)
3. You can still leverage MFA with CLI using role:
If you will strip all permissions you will need to assume role even if you are using WEB UI.
If you use alternative approach and enforce MFA for all API actions you can keep using WEB UI without assuming role the same way as you was doing before.
Note : all profile reference my_account profile as a source
If needed create an extra profile(my_second_account) for any other account you need to access using the role.
Use profile my-account-mfa for you CLI access to the main account or for any tools. You will see MFA request and after providing MFA everything will work like a charm.
Enjoy and stay secure!
Enabling MFA for your user account in AWS IAM will automatically enforce it for the AWS Web UI login.
But what about AWS CLI, your code using AWS SDK and 3d party SDK based tools?
In this case, to leverage MFA you need to enforce it using "Condition" statement for the IAM policy assigned to you user as it described in following AWS manual:
https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-role.html
In nutshell something like this:
Enforce MFA for the assume role:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::123456789012:user/anika" }, "Action": "sts:AssumeRole", "Condition": { "Bool": { "aws:multifactorAuthPresent": true } } } ] }
Add MFA to you AWS CLI profile:
[profile role-with-mfa] region = us-west-2 role_arn= arn:aws:iam::128716708097:role/cli-role source_profile = cli-user mfa_serial = arn:aws:iam::128716708097:mfa/cli-user
Simple? Not exactly - here some tricky things that not covered by AWS documentation (at least I was not able to find).
1. AWS documentation a bit misleading: in the AIM statement and documentation user name mentioned is Anika but all CLI configs are pointing to the non existing cli profile "cli-user"
2. AWS CLI MFA configuration will work ONLY when you are assuming Role. Yep, if you have one simple account, few users and groups (as many small companies do) you can't leverage this functionality without some small trick(item 3)
3. You can still leverage MFA with CLI using role:
- Strip all access from the user you are using to login, except "assume role", or alternatively, enforce the MFA for all the actions using condition from the above.
If you will strip all permissions you will need to assume role even if you are using WEB UI.
If you use alternative approach and enforce MFA for all API actions you can keep using WEB UI without assuming role the same way as you was doing before.
- Create a role (exampe: MyOrganizationAccountAccessRole) to assume in the same account with MFA enforced and all required access rights. If you have more than one account - create this role in other accounts as well with the same MFA enforcement condition.
- Create extra profile my-account-mfa (in addition to the main account profile my_account ) for the accessing the same account (my-account) using this role:
[profile my-account-mfa]
role_arn = arn:aws:iam:: 123456789:role/MyOrganizationAccountAccessRole
source_profile = my_account
mfa_serial = arn:aws:iam:: 123456789:mfa/it-security@ca
[profile my_account]
output = json
region = us-east-1
mfa_serial = arn:aws:iam::123456789:mfa/it-security@ca
[profile my_second_account]
ole_arn = arn:aws:iam:: 987654321:role/MyOrganizationAccountAccessRole
source_profile = my_account
mfa_serial = arn:aws:iam:: 123456789:mfa/it-security@ca
If needed create an extra profile(my_second_account) for any other account you need to access using the role.
Use profile my-account-mfa for you CLI access to the main account or for any tools. You will see MFA request and after providing MFA everything will work like a charm.
Enjoy and stay secure!
No comments:
Post a Comment