AWS IAM 策略:要求用户自己配置 MFA
AWS IAM Policies: require user to provision MFA themselves
我想向我们的新用户发送他们的 IAM 用户名和临时凭证,然后要求他们更改密码并要求他们在获得之前配置自己的虚拟 MFA访问控制台中的任何其他内容。
1) 创建用户时,我显然可以生成一个临时密码,并要求他们在首次登录时更改密码。 Security Credentials-->Manage Password-->'Require user to create a new password at next sign-in'.
2) 以下政策将 permit IAM users to change their own passwords:
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": [
"iam:ChangePassword",
"iam:GetAccountPasswordPolicy"
],
"Resource": "*"
}
}
3) 以下政策 allows users to manage only their own virtual mfa devices:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowUsersToCreateEnableResyncDeleteTheirOwnVirtualMFADevice",
"Effect": "Allow",
"Action": [
"iam:CreateVirtualMFADevice",
"iam:EnableMFADevice",
"iam:ResyncMFADevice",
"iam:DeleteVirtualMFADevice"
],
"Resource": [
"arn:aws:iam::account-id-without-hyphens:mfa/${aws:username}",
"arn:aws:iam::account-id-without-hyphens:user/${aws:username}"
]
},
{
"Sid": "AllowUsersToDeactivateTheirOwnVirtualMFADevice",
"Effect": "Allow",
"Action": [
"iam:DeactivateMFADevice"
],
"Resource": [
"arn:aws:iam::account-id-without-hyphens:mfa/${aws:username}",
"arn:aws:iam::account-id-without-hyphens:user/${aws:username}"
],
"Condition": {
"Bool": {
"aws:MultiFactorAuthPresent": true
}
}
},
{
"Sid": "AllowUsersToListMFADevicesandUsersForConsole",
"Effect": "Allow",
"Action": [
"iam:ListMFADevices",
"iam:ListVirtualMFADevices",
"iam:ListUsers"
],
"Resource": "*"
}
]
}
通过以上三种方法我可以要求他们修改密码,允许他们配置自己的虚拟MFA设备,就是不知道有没有办法要求他们配置MFA.
我发布了完整的解决方案,因为它不是 Can you require MFA for AWS IAM accounts? 的副本,这非常有帮助,但不是完整的解决方案 允许新的 IAM 用户登录控制台,更改他们的密码并自行添加他们自己的虚拟 MFA。
1) 创建托管策略以允许用户 change their own passwords:
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": [
"iam:ChangePassword",
"iam:GetAccountPasswordPolicy"
],
"Resource": "*"
}
}
2) 创建托管策略以允许用户 manage their own virtual mfa devices:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowUsersToCreateEnableResyncDeleteTheirOwnVirtualMFADevice",
"Effect": "Allow",
"Action": [
"iam:CreateVirtualMFADevice",
"iam:EnableMFADevice",
"iam:ResyncMFADevice",
"iam:DeleteVirtualMFADevice"
],
"Resource": [
"arn:aws:iam::account-id-without-hyphens:mfa/${aws:username}",
"arn:aws:iam::account-id-without-hyphens:user/${aws:username}"
]
},
{
"Sid": "AllowUsersToDeactivateTheirOwnVirtualMFADevice",
"Effect": "Allow",
"Action": [
"iam:DeactivateMFADevice"
],
"Resource": [
"arn:aws:iam::account-id-without-hyphens:mfa/${aws:username}",
"arn:aws:iam::account-id-without-hyphens:user/${aws:username}"
],
"Condition": {
"Bool": {
"aws:MultiFactorAuthPresent": true
}
}
},
{
"Sid": "AllowUsersToListMFADevicesandUsersForConsole",
"Effect": "Allow",
"Action": [
"iam:ListMFADevices",
"iam:ListVirtualMFADevices",
"iam:ListUsers"
],
"Resource": "*"
}
]
}
3) 将以下条件添加到所有需要 MFA 的策略中:
{
"Version": "2012-10-17",
"Statement": [{
"Sid": "ReadOnlyEC2RequireMFA",
"Action": [
"ec2:Describe*"
],
"Effect": "Allow",
"Resource": "*",
"Condition": {
"Null": {
"aws:MultiFactorAuthAge": "false"
}
}
}]
}
4) 当您创建新的 IAM 用户并为其分配密码时,选中复选框 'Require user to create a new password at next sign-in' 并应用上面的三个托管策略(或将托管策略分配给一个组并将用户添加到组)。
现在将用户名和临时密码分发给新的 IAM 用户。当他们登录时,系统会提示他们更改密码,然后他们将只能进入 IAM,select 他们自己的用户帐户和 add their own MFA device。他们将需要注销并使用 MFA 重新登录才能获得 ec2:Describe* 权限。
AWS 对此有一个记录的答案:https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html
这是一个包含多个声明的单一政策:
- 允许列出所有用户和所有 MFA 设备。
- 允许仅列出您自己的用户和他们自己的 MFA 设备。
- 允许管理您自己的 MFA 设备。
- 如果您使用 MFA 登录,允许停用 MFA。
- 阻止访问其他所有内容,除非使用 MFA 进行登录。
我想向我们的新用户发送他们的 IAM 用户名和临时凭证,然后要求他们更改密码并要求他们在获得之前配置自己的虚拟 MFA访问控制台中的任何其他内容。
1) 创建用户时,我显然可以生成一个临时密码,并要求他们在首次登录时更改密码。 Security Credentials-->Manage Password-->'Require user to create a new password at next sign-in'.
2) 以下政策将 permit IAM users to change their own passwords:
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": [
"iam:ChangePassword",
"iam:GetAccountPasswordPolicy"
],
"Resource": "*"
}
}
3) 以下政策 allows users to manage only their own virtual mfa devices:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowUsersToCreateEnableResyncDeleteTheirOwnVirtualMFADevice",
"Effect": "Allow",
"Action": [
"iam:CreateVirtualMFADevice",
"iam:EnableMFADevice",
"iam:ResyncMFADevice",
"iam:DeleteVirtualMFADevice"
],
"Resource": [
"arn:aws:iam::account-id-without-hyphens:mfa/${aws:username}",
"arn:aws:iam::account-id-without-hyphens:user/${aws:username}"
]
},
{
"Sid": "AllowUsersToDeactivateTheirOwnVirtualMFADevice",
"Effect": "Allow",
"Action": [
"iam:DeactivateMFADevice"
],
"Resource": [
"arn:aws:iam::account-id-without-hyphens:mfa/${aws:username}",
"arn:aws:iam::account-id-without-hyphens:user/${aws:username}"
],
"Condition": {
"Bool": {
"aws:MultiFactorAuthPresent": true
}
}
},
{
"Sid": "AllowUsersToListMFADevicesandUsersForConsole",
"Effect": "Allow",
"Action": [
"iam:ListMFADevices",
"iam:ListVirtualMFADevices",
"iam:ListUsers"
],
"Resource": "*"
}
]
}
通过以上三种方法我可以要求他们修改密码,允许他们配置自己的虚拟MFA设备,就是不知道有没有办法要求他们配置MFA.
我发布了完整的解决方案,因为它不是 Can you require MFA for AWS IAM accounts? 的副本,这非常有帮助,但不是完整的解决方案 允许新的 IAM 用户登录控制台,更改他们的密码并自行添加他们自己的虚拟 MFA。
1) 创建托管策略以允许用户 change their own passwords:
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": [
"iam:ChangePassword",
"iam:GetAccountPasswordPolicy"
],
"Resource": "*"
}
}
2) 创建托管策略以允许用户 manage their own virtual mfa devices:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowUsersToCreateEnableResyncDeleteTheirOwnVirtualMFADevice",
"Effect": "Allow",
"Action": [
"iam:CreateVirtualMFADevice",
"iam:EnableMFADevice",
"iam:ResyncMFADevice",
"iam:DeleteVirtualMFADevice"
],
"Resource": [
"arn:aws:iam::account-id-without-hyphens:mfa/${aws:username}",
"arn:aws:iam::account-id-without-hyphens:user/${aws:username}"
]
},
{
"Sid": "AllowUsersToDeactivateTheirOwnVirtualMFADevice",
"Effect": "Allow",
"Action": [
"iam:DeactivateMFADevice"
],
"Resource": [
"arn:aws:iam::account-id-without-hyphens:mfa/${aws:username}",
"arn:aws:iam::account-id-without-hyphens:user/${aws:username}"
],
"Condition": {
"Bool": {
"aws:MultiFactorAuthPresent": true
}
}
},
{
"Sid": "AllowUsersToListMFADevicesandUsersForConsole",
"Effect": "Allow",
"Action": [
"iam:ListMFADevices",
"iam:ListVirtualMFADevices",
"iam:ListUsers"
],
"Resource": "*"
}
]
}
3) 将以下条件添加到所有需要 MFA 的策略中:
{
"Version": "2012-10-17",
"Statement": [{
"Sid": "ReadOnlyEC2RequireMFA",
"Action": [
"ec2:Describe*"
],
"Effect": "Allow",
"Resource": "*",
"Condition": {
"Null": {
"aws:MultiFactorAuthAge": "false"
}
}
}]
}
4) 当您创建新的 IAM 用户并为其分配密码时,选中复选框 'Require user to create a new password at next sign-in' 并应用上面的三个托管策略(或将托管策略分配给一个组并将用户添加到组)。
现在将用户名和临时密码分发给新的 IAM 用户。当他们登录时,系统会提示他们更改密码,然后他们将只能进入 IAM,select 他们自己的用户帐户和 add their own MFA device。他们将需要注销并使用 MFA 重新登录才能获得 ec2:Describe* 权限。
AWS 对此有一个记录的答案:https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html
这是一个包含多个声明的单一政策:
- 允许列出所有用户和所有 MFA 设备。
- 允许仅列出您自己的用户和他们自己的 MFA 设备。
- 允许管理您自己的 MFA 设备。
- 如果您使用 MFA 登录,允许停用 MFA。
- 阻止访问其他所有内容,除非使用 MFA 进行登录。