DEV Community

Rafaf Tahsin
Rafaf Tahsin

Posted on • Edited on

How to enforce MFA in AWS - Part I - Create User, Role & Policy

#aws #security #tutorial #bash

In this tutorial I will demonstrate How to enfornce 2FA in both AWS CLI and AWS Console. Later in the tutorial I will share a script to quickly authenticate with MFA and use generated token.

1. At first we will create a user who has only access to sts:AssumeRole with MFA condition. We can create the user manually or with the following terraform script.

resource "aws_iam_user" "mfa_user" {
  # path = "/user_path_if_necessary/"
  name = "aws_cli_user"
}

data "aws_iam_policy_document" "sts_assume_role_policy_docuement" {
  statement {
    actions   = ["sts:AssumeRole"]
    resources = ["*"]
    effect    = "Allow"
    condition {
      test     = "Bool"
      values   = ["true"]
      variable = "aws:MultiFactorAuthPresent"
    }
  }
}

resource "aws_iam_policy" "sts_assume_role_policy" {
  name   = "sts_assume_role_policy"
  policy = data.aws_iam_policy_document.sts_assume_role_policy_docuement.json
}

resource "aws_iam_policy_attachment" "sts_assume_role_policy_attachment" {
  name       = "sts_assume_role_policy_attachment"
  policy_arn = aws_iam_policy.sts_assume_role_policy.arn
  users      = [aws_iam_user.mfa_user.name]
}

resource "aws_iam_access_key" "mfa_user_keys" {
  user = aws_iam_user.mfa_user.name
}

resource "aws_iam_user_login_profile" "mfa_user_console_login_profile" {
  user = aws_iam_user.mfa_user.name
}
Enter fullscreen mode Exit fullscreen mode

2. You can get the credentials with the following output.tf output file

output "mfa_user_access_key" {
  value = aws_iam_access_key.mfa_user_keys.id
}

output "mfa_user_secret_key" {
  value     = aws_iam_access_key.mfa_user_keys.secret
  sensitive = true
}

output "mfa_user_console_password" {
  value = aws_iam_user_login_profile.mfa_user_console_login_profile.password
  sensitive = true
}
Enter fullscreen mode Exit fullscreen mode

3. Now Create a Virtual device for mfa_user from AWS Console.

Image description

4. We will now create the role that will be assumed by the user. For the purpose of the tutorial I've attached an AWS managed Administrator policy with the role.

resource "aws_iam_role" "iam_admin_role_with_mfa_restriction" {
  name               = "admin_mfa"
  assume_role_policy = jsonencode({
    "Version" : "2012-10-17",
    "Statement" : [
      {
        "Effect" : "Allow",
        "Principal" : {
          "AWS" : "arn:aws:iam::${var.aws_account_id}:root"
        },
        "Action" : "sts:AssumeRole",
        "Condition" : {
          "Bool" : {
            "aws:MultiFactorAuthPresent" : "true"
          }
        }
      }
    ]
  })
  managed_policy_arns = ["arn:aws:iam::aws:policy/AdministratorAccess"]
}
Enter fullscreen mode Exit fullscreen mode

Now the user is ready, you can have a look at the full terraform code here

Lets jump into Part II of the tutorial where we will discuss about how to access aws using MFA.

Top comments (0)

Read next

tariq_nawaz_c2f67e3cee143 profile image

FUTURE OF TECHNOLOGY

Tariq Nawaz -

msnmongare profile image

When and Why to Use JSON Columns in SQL Databases

Sospeter Mong'are -

shieldstring profile image

Vite + React app MIME error when reloading the page

Agbo, Daniel Onuoha -

keploy profile image

JSON Diff: Comparing JSON Data Effectively

keploy -