How to enforce MFA in AWS - Part I - Create User, Role & Policy
#aws#security#tutorial#bash
Rafaf Tahsin

Rafaf Tahsin @rafaftahsin

About: Mostly, a DevOps Engineer

Location:
Dhaka, Bangladesh
Joined:
May 10, 2023

How to enforce MFA in AWS - Part I - Create User, Role & Policy

Publish Date: Jun 20 '23
0 0

In this tutorial I will demonstrate How to enfornce 2FA in both AWS CLI and AWS Console. Later in the tutorial I will share a script to quickly authenticate with MFA and use generated token.

1. At first we will create a user who has only access to sts:AssumeRole with MFA condition. We can create the user manually or with the following terraform script.

resource "aws_iam_user" "mfa_user" {
  # path = "/user_path_if_necessary/"
  name = "aws_cli_user"
}

data "aws_iam_policy_document" "sts_assume_role_policy_docuement" {
  statement {
    actions   = ["sts:AssumeRole"]
    resources = ["*"]
    effect    = "Allow"
    condition {
      test     = "Bool"
      values   = ["true"]
      variable = "aws:MultiFactorAuthPresent"
    }
  }
}

resource "aws_iam_policy" "sts_assume_role_policy" {
  name   = "sts_assume_role_policy"
  policy = data.aws_iam_policy_document.sts_assume_role_policy_docuement.json
}

resource "aws_iam_policy_attachment" "sts_assume_role_policy_attachment" {
  name       = "sts_assume_role_policy_attachment"
  policy_arn = aws_iam_policy.sts_assume_role_policy.arn
  users      = [aws_iam_user.mfa_user.name]
}

resource "aws_iam_access_key" "mfa_user_keys" {
  user = aws_iam_user.mfa_user.name
}

resource "aws_iam_user_login_profile" "mfa_user_console_login_profile" {
  user = aws_iam_user.mfa_user.name
}
Enter fullscreen mode Exit fullscreen mode

2. You can get the credentials with the following output.tf output file

output "mfa_user_access_key" {
  value = aws_iam_access_key.mfa_user_keys.id
}

output "mfa_user_secret_key" {
  value     = aws_iam_access_key.mfa_user_keys.secret
  sensitive = true
}

output "mfa_user_console_password" {
  value = aws_iam_user_login_profile.mfa_user_console_login_profile.password
  sensitive = true
}
Enter fullscreen mode Exit fullscreen mode

3. Now Create a Virtual device for mfa_user from AWS Console.

Image description

4. We will now create the role that will be assumed by the user. For the purpose of the tutorial I've attached an AWS managed Administrator policy with the role.

resource "aws_iam_role" "iam_admin_role_with_mfa_restriction" {
  name               = "admin_mfa"
  assume_role_policy = jsonencode({
    "Version" : "2012-10-17",
    "Statement" : [
      {
        "Effect" : "Allow",
        "Principal" : {
          "AWS" : "arn:aws:iam::${var.aws_account_id}:root"
        },
        "Action" : "sts:AssumeRole",
        "Condition" : {
          "Bool" : {
            "aws:MultiFactorAuthPresent" : "true"
          }
        }
      }
    ]
  })
  managed_policy_arns = ["arn:aws:iam::aws:policy/AdministratorAccess"]
}
Enter fullscreen mode Exit fullscreen mode

Now the user is ready, you can have a look at the full terraform code here

Lets jump into Part II of the tutorial where we will discuss about how to access aws using MFA.

Comments 0 total

    Add comment