首页 > 其他分享 >aws 强制 开启 MFA

aws 强制 开启 MFA

时间:2022-12-08 21:04:13浏览次数:197  
标签:iam MFA Resource aws 开启 Effect Sid


  1. 创建一个策略

{

"Version": "2012-10-17",

"Statement": [

{

"Sid": "AllowViewAccountInfo",

"Effect": "Allow",

"Action": [

"iam:GetAccountPasswordPolicy",

"iam:GetAccountSummary",

"iam:ListVirtualMFADevices"

],

"Resource": "*"

},

{

"Sid": "AllowManageOwnPasswords",

"Effect": "Allow",

"Action": [

"iam:ChangePassword",

"iam:GetUser"

],

"Resource": "arn:aws:iam::*:user/${aws:username}"

},

{

"Sid": "AllowManageOwnAccessKeys",

"Effect": "Allow",

"Action": [

"iam:CreateAccessKey",

"iam:DeleteAccessKey",

"iam:ListAccessKeys",

"iam:UpdateAccessKey"

],

"Resource": "arn:aws:iam::*:user/${aws:username}"

},

{

"Sid": "AllowManageOwnSigningCertificates",

"Effect": "Allow",

"Action": [

"iam:DeleteSigningCertificate",

"iam:ListSigningCertificates",

"iam:UpdateSigningCertificate",

"iam:UploadSigningCertificate"

],

"Resource": "arn:aws:iam::*:user/${aws:username}"

},

{

"Sid": "AllowManageOwnSSHPublicKeys",

"Effect": "Allow",

"Action": [

"iam:DeleteSSHPublicKey",

"iam:GetSSHPublicKey",

"iam:ListSSHPublicKeys",

"iam:UpdateSSHPublicKey",

"iam:UploadSSHPublicKey"

],

"Resource": "arn:aws:iam::*:user/${aws:username}"

},

{

"Sid": "AllowManageOwnGitCredentials",

"Effect": "Allow",

"Action": [

"iam:CreateServiceSpecificCredential",

"iam:DeleteServiceSpecificCredential",

"iam:ListServiceSpecificCredentials",

"iam:ResetServiceSpecificCredential",

"iam:UpdateServiceSpecificCredential"

],

"Resource": "arn:aws:iam::*:user/${aws:username}"

},

{

"Sid": "AllowManageOwnVirtualMFADevice",

"Effect": "Allow",

"Action": [

"iam:CreateVirtualMFADevice",

"iam:DeleteVirtualMFADevice"

],

"Resource": "arn:aws:iam::*:mfa/${aws:username}"

},

{

"Sid": "AllowManageOwnUserMFA",

"Effect": "Allow",

"Action": [

"iam:DeactivateMFADevice",

"iam:EnableMFADevice",

"iam:ListMFADevices",

"iam:ResyncMFADevice"

],

"Resource": "arn:aws:iam::*:user/${aws:username}"

},

{

"Sid": "DenyAllExceptListedIfNoMFA",

"Effect": "Deny",

"NotAction": [

"iam:CreateVirtualMFADevice",

"iam:EnableMFADevice",

"iam:GetUser",

"iam:ListMFADevices",

"iam:ListVirtualMFADevices",

"iam:ResyncMFADevice",

"sts:GetSessionToken",

"iam:ChangePassword"

],

"Resource": "*",

"Condition": {

"Bool": {

"aws:MultiFactorAuthPresent": "false"

}

}

}

]

}

  1. 创建一个 MFA 组,附加创建的策略权限
  2. 把调用的账号,加入 MFA组

3.1 如上策略判断条为 Bool时,开启了控制台的用户,都可以加入 MFA组

"Condition": {

"Bool": {

"aws:MultiFactorAuthPresent": "false"

}


3.2 如上策略判断条为 BoolIfExists 时,非API调用的用户,可以加入 MFA组

"Condition": { "BoolIfExists": {"aws:MultiFactorAuthPresent": "false"} }


推荐使用判断条件:Bool


  1. 其他说明

aws:MultiFactorAuthPresent

与​​布尔值运算符​​结合使用。

使用此键可检查是否已使用多重验证 (MFA) 来验证发出请求的临时安全凭证。

  • Availability(可用性)- 仅在主体使用临时凭证发出请求时,才将此键包含在请求上下文中。此键在 AWS CLI、AWS API 或使用长期凭证发出的 AWS 开发工具包请求中不存在
  • 值类型— 单值


参考文档链接:

​https://tonghuaroot.com/2019/11/25/AWS-IAM-MFA-force-console-no-use-MFA-in-CLI/​

​https://aws.amazon.com/cn/premiumsupport/knowledge-center/mfa-iam-user-aws-cli/​

​https://docs.aws.amazon.com/zh_cn/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-multifactorauthpresent​

标签:iam,MFA,Resource,aws,开启,Effect,Sid
From: https://blog.51cto.com/52python/5923449

相关文章