What is a Policy?

awsPolicies allow you to define in great detail, what Users, or more commonly Groups of users can do. This article describes how to create a managed policy that forces Users to us MFA for the majority of AWS access.


Create the RequireMFAPolicy

Creating managed policies allow you to create reusable policies to assign to multiple groups.

  1. Go to Services > IAM.
  2. Select Policies in the left pane.
  3. Click the Create policy button.
  4. Select the JSON tab.
  5. Paste the following policy. Please replace AWS_ACCOUNT_NUMBER with your own AWS account number, there are 7 occurances.
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowAllUsersToListAccounts",
            "Effect": "Allow",
            "Action": [
                "iam:ListAccountAliases",
                "iam:GetAccountPasswordPolicy",
                "iam:ListUsers",
                "iam:GetAccountSummary"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "AllowIndividualUserToSeeTheirAccountInformationAndCreateAccessKey",
            "Effect": "Allow",
            "Action": [
                "iam:ChangePassword",
                "iam:CreateLoginProfile",
                "iam:DeleteLoginProfile",
                "iam:GetAccountPasswordPolicy",
                "iam:GetLoginProfile",
                "iam:UpdateLoginProfile",
                "iam:CreateAccessKey",
                "iam:ListAccessKeys"
            ],
            "Resource": [
                "arn:aws:iam::AWS_ACCOUNT_NUMBER:user/${aws:username}"
            ]
        },
        {
            "Sid": "AllowIndividualUserToListTheirMFA",
            "Effect": "Allow",
            "Action": [
                "iam:ListVirtualMFADevices",
                "iam:ListMFADevices"
            ],
            "Resource": [
                "arn:aws:iam::AWS_ACCOUNT_NUMBER:mfa/*",
                "arn:aws:iam::AWS_ACCOUNT_NUMBER:user/${aws:username}"
            ]
        },
        {
            "Sid": "AllowIndividualUserToManageTheirMFA",
            "Effect": "Allow",
            "Action": [
                "iam:CreateVirtualMFADevice",
                "iam:EnableMFADevice",
                "iam:ResyncMFADevice"
            ],
            "Resource": [
                "arn:aws:iam::AWS_ACCOUNT_NUMBER:mfa/${aws:username}",
                "arn:aws:iam::AWS_ACCOUNT_NUMBER:user/${aws:username}"
            ]
        },
        {
            "Sid": "DenyEverythingExceptForBelowUnlessMFAd",
            "Effect": "Deny",
            "NotAction": [
                "iam:ListVirtualMFADevices",
                "iam:ListMFADevices",
                "iam:ListUsers",
                "iam:ListAccountAliases",
                "iam:CreateVirtualMFADevice",
                "iam:EnableMFADevice",
                "iam:ResyncMFADevice",
                "iam:ChangePassword",
                "iam:CreateLoginProfile",
                "iam:DeleteLoginProfile",
                "iam:GetAccountPasswordPolicy",
                "iam:GetAccountSummary",
                "iam:GetLoginProfile",
                "iam:UpdateLoginProfile"
            ],
            "Resource": "*",
            "Condition": {
                "Null": {
                    "aws:MultiFactorAuthAge": "true"
                }
            }
        },
        {
            "Sid": "DenyIamAccessToOtherAccountsUnlessMFAd",
            "Effect": "Deny",
            "Action": [
                "iam:CreateVirtualMFADevice",
                "iam:DeactivateMFADevice",
                "iam:DeleteVirtualMFADevice",
                "iam:EnableMFADevice",
                "iam:ResyncMFADevice",
                "iam:ChangePassword",
                "iam:CreateLoginProfile",
                "iam:DeleteLoginProfile",
                "iam:GetAccountPasswordPolicy",
                "iam:GetLoginProfile",
                "iam:UpdateLoginProfile",
                "iam:CreateAccessKey",
                "iam:ListAccessKeys"
            ],
            "NotResource": [
                "arn:aws:iam::AWS_ACCOUNT_NUMBER:mfa/${aws:username}",
                "arn:aws:iam::AWS_ACCOUNT_NUMBER:user/${aws:username}"
            ],
            "Condition": {
                "Null": {
                    "aws:MultiFactorAuthAge": "true"
                }
            }
        }
    ]
}
  1. Click the Review policy button.
  2. Enter a Name for your policy (e.g. RequireMFAPolicy).
  3. Enter a Description (e.g. This policy will force all users to use MFA for most use cases).
  4. Click Create policy.

You now have a policy that can be applied to a users group.

 

Thanks for visiting.