Require Multi-Factor Authentication (MFA) for IAM User in AWS

As a Security Best Practice we should always require IAM Users to have Multi-Factor Authentication (MFA) enabled when accessing the AWS Console.

The problem is how do we require users to configure MFA?

The IAM policy below can be used to require users to enable their MFA. If they do not have MFA, all their permissions will be denied. This will make access to your AWS Account more secure.



IAM Policy that requires IAM Users to have Multi-Factor Authentication (MFA)

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowViewAccountInfo",
            "Effect": "Allow",
            "Action": [
                "iam:ListUsers",
                "iam:ListMFADevices",
                "iam:GetAccountPasswordPolicy",
                "iam:GetAccountSummary"
            ],
            "Resource": "*"
        },
        {
            "Sid": "AllowChangeOwnPasswordsOnFirstLogin",
            "Effect": "Allow",
            "Action": [
                "iam:ChangePassword",
                "iam:GetUser"
            ],
            "Resource": "arn:aws:iam::*:user/${aws:username}"
        },
        {
            "Sid": "AllowChangeOwnPasswordsAfterMFAEnabled",
            "Effect": "Allow",
            "Action": [
                "iam:GetLoginProfile",
                "iam:UpdateLoginProfile"
            ],
            "Resource": "arn:aws:iam::*:user/${aws:username}"
        },
        {
            "Sid": "AllowManageOwnVirtualMFADevice",
            "Effect": "Allow",
            "Action": [
                "iam:CreateVirtualMFADevice",
                "iam:DeleteVirtualMFADevice"
            ],
            "Resource": "arn:aws:iam::*:mfa/${aws:username}"
        },
        {
            "Sid": "AllowManageOwnUserMFA",
            "Effect": "Allow",
            "Action": [
                "iam:DeactivateMFADevice",
                "iam:EnableMFADevice",
                "iam:ListMFADevices",
                "iam:ResyncMFADevice"
            ],
            "Resource": "arn:aws:iam::*:user/${aws:username}"
        },
        {
            "Sid": "DenyAllExceptListedIfNoMFA",
            "Effect": "Deny",
            "NotAction": [
                "iam:ListUsers",
                "iam:ChangePassword",
                "iam:GetUser",
                "iam:CreateVirtualMFADevice",
                "iam:DeleteVirtualMFADevice",
                "iam:DeactivateMFADevice",
                "iam:EnableMFADevice",
                "iam:ListMFADevices",
                "iam:ResyncMFADevice"
            ],
            "Resource": "*",
            "Condition": {
                "BoolIfExists": {
                    "aws:MultiFactorAuthPresent": "false"
                }
            }
        }
    ],
    "Id": "RadishLogic.com MFA Required IAM Policy"
}

The name of my IAM Policy is MFA-Required, you may use whatever name you desire to use.

Continue reading Require Multi-Factor Authentication (MFA) for IAM User in AWS

EC2 with IAM Role: CloudFormation Sample Template

Creating an EC2 Instance with an IAM Role is easy when you do it via the AWS Console but doing this with CloudFormation is not as direct. You will need an Instance Profile to connect an EC2 with an IAM Role.

TL;DR: See the CloudFormation Template below.

Continue reading EC2 with IAM Role: CloudFormation Sample Template

How to create IAM User Access Keys via AWS CLI

To create programmatic Access Keys for an AWS IAM User using AWS CLI, run the command aws iam create-access-key.

On the command below change MyUser with the username of your target IAM User.

aws iam create-access-key --user-name MyUser

This will return the following JSON formatted string.

Continue reading How to create IAM User Access Keys via AWS CLI

How to create IAM User Access Keys using AWS Console

If you want to be able to control your AWS resources on your local computer you will either use AWS CLI or AWS SDK. To use those tools, you will need to have an Access Key ID and a Secret Access Key.

In this post, we will show you how you can generate your own Access Keys so you can programmatically access your AWS resources.

For the instructions later the target username that I want to create Access Keys is rabano. Yours will be different.

Continue reading How to create IAM User Access Keys using AWS Console