DEV Community

Rafaf Tahsin
Rafaf Tahsin

Posted on • Edited on

How to enforce MFA in AWS - Part I - Create User, Role & Policy

In this tutorial I will demonstrate How to enfornce 2FA in both AWS CLI and AWS Console. Later in the tutorial I will share a script to quickly authenticate with MFA and use generated token.

1. At first we will create a user who has only access to sts:AssumeRole with MFA condition. We can create the user manually or with the following terraform script.

resource "aws_iam_user" "mfa_user" {
  # path = "/user_path_if_necessary/"
  name = "aws_cli_user"
}

data "aws_iam_policy_document" "sts_assume_role_policy_docuement" {
  statement {
    actions   = ["sts:AssumeRole"]
    resources = ["*"]
    effect    = "Allow"
    condition {
      test     = "Bool"
      values   = ["true"]
      variable = "aws:MultiFactorAuthPresent"
    }
  }
}

resource "aws_iam_policy" "sts_assume_role_policy" {
  name   = "sts_assume_role_policy"
  policy = data.aws_iam_policy_document.sts_assume_role_policy_docuement.json
}

resource "aws_iam_policy_attachment" "sts_assume_role_policy_attachment" {
  name       = "sts_assume_role_policy_attachment"
  policy_arn = aws_iam_policy.sts_assume_role_policy.arn
  users      = [aws_iam_user.mfa_user.name]
}

resource "aws_iam_access_key" "mfa_user_keys" {
  user = aws_iam_user.mfa_user.name
}

resource "aws_iam_user_login_profile" "mfa_user_console_login_profile" {
  user = aws_iam_user.mfa_user.name
}
Enter fullscreen mode Exit fullscreen mode

2. You can get the credentials with the following output.tf output file

output "mfa_user_access_key" {
  value = aws_iam_access_key.mfa_user_keys.id
}

output "mfa_user_secret_key" {
  value     = aws_iam_access_key.mfa_user_keys.secret
  sensitive = true
}

output "mfa_user_console_password" {
  value = aws_iam_user_login_profile.mfa_user_console_login_profile.password
  sensitive = true
}
Enter fullscreen mode Exit fullscreen mode

3. Now Create a Virtual device for mfa_user from AWS Console.

Image description

4. We will now create the role that will be assumed by the user. For the purpose of the tutorial I've attached an AWS managed Administrator policy with the role.

resource "aws_iam_role" "iam_admin_role_with_mfa_restriction" {
  name               = "admin_mfa"
  assume_role_policy = jsonencode({
    "Version" : "2012-10-17",
    "Statement" : [
      {
        "Effect" : "Allow",
        "Principal" : {
          "AWS" : "arn:aws:iam::${var.aws_account_id}:root"
        },
        "Action" : "sts:AssumeRole",
        "Condition" : {
          "Bool" : {
            "aws:MultiFactorAuthPresent" : "true"
          }
        }
      }
    ]
  })
  managed_policy_arns = ["arn:aws:iam::aws:policy/AdministratorAccess"]
}
Enter fullscreen mode Exit fullscreen mode

Now the user is ready, you can have a look at the full terraform code here

Lets jump into Part II of the tutorial where we will discuss about how to access aws using MFA.

Top comments (0)