Enforcing the use of MFA devices

At this point, users who are part of the AllUsers groups have enough permissions to manage their accounts. We can now restrict the permissions of users who don't have their accounts configured to use an MFA device or didn't refresh their sessions in a certain amount of time. To do that, we will add two new statements to the CommonIamPolicypolicy as follows:

  1. Reopen the script in your editor.
  2. We will first add a few extra classes in the awacs.aws import section around Line 18. We will add:
from awacs.aws import ( 
    Action, 
    Allow, 
    Condition, 
    NumericGreaterThan, 
    Deny, 
    Null, 
    Policy, 
    Statement, 
)
  1. Now that this is in place, we can add our new entries in the statement array of the CommonIamPolicy managed policy. At the end of the third statement, around Line 95, add the following statement:
            Statement(
                Effect=Deny,
                NotAction=[
                    Action("iam", "ChangePassword"),
                    Action("iam", "CreateVirtualMFADevice"),
                    Action("iam", "EnableMFADevice"),
                    Action("iam", "GetUser"),
                    Action("iam", "ListMFADevices"),
                    Action("iam", "ListUsers"),
                    Action("iam", "ListVirtualMFADEvices")
                ],
                Resource=["*"],
                Condition=Condition(
                    Null("aws:MultiFactorAuthAge", "true"),
                ),
            ),

The statements we created previously were allowing certain actions to be performed. To do that, we were using the effect Allow and specifying a list of actions. Here we are doing the opposite, we are denying access to any resource if aws:MultiFactorAuthAge is set to null meaning that the user didn't set their MFA device. Deny actions are the default and have priority over Allow actions, therefore if we want to give permissions to our users to configure their accounts, we need to whitelist certain actions from the Deny statement. This is done with the NotAction section.

  1. We now need to add one more statement after this last one to deny access to almost everything if the MFA sessions expired after 12 hours (or 43200 seconds). We will do that by duplicating the preceding statement and only change the condition as follows:
            Statement(
                Effect=Deny,
                NotAction=[
                    Action("iam", "ChangePassword"),
                    Action("iam", "CreateVirtualMFADevice"),
                    Action("iam", "EnableMFADevice"),
                    Action("iam", "GetUser"),
                    Action("iam", "ListMFADevices"),
                    Action("iam", "ListUsers"),
                    Action("iam", "ListVirtualMFADEvices")
                ],
                Resource=["*"],
                Condition=Condition(
                    NumericGreaterThan("aws:MultiFactorAuthAge", "43200")
                ),
            ),
  1. Our updated policy is now complete; we can save the file. It should look like this: http://bit.ly/2uHaRnq.
  1. We can update our existing CloudFormation stack by running the same command as previously:
$ aws cloudformation update-stack 
      --stack-name iam-groups 
      --template-body file://iam-groups-cf.template 
      --capabilities CAPABILITY_NAMED_IAM

At this point, our users, even administrators, can't run most commands. We can, for example, try to list all the s3 buckets to validate the restriction we just added:

$ aws s3 ls
    
An error occurred (ExpiredToken) when calling the ListBuckets operation: The provided token has expired.

We now need to use a script to refresh our MFA session.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset