forked from philips-software/terraform-aws-account-setup
-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathpolicy-mfa.tf
125 lines (106 loc) · 2.86 KB
/
policy-mfa.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
data "aws_iam_policy_document" "force_mfa" {
statement {
sid = "AllowAllUsersToListAccounts"
resources = ["*"]
actions = [
"iam:ListAccountAliases",
"iam:ListUsers",
"iam:GetAccountPasswordPolicy",
"iam:GetAccountSummary"
]
}
statement {
sid = "AllowIndividualUserToSeeAndManageOnlyTheirOwnAccountInformation"
resources = ["arn:aws:iam::*:user/$${aws:username}"]
actions = [
"iam:ChangePassword",
"iam:CreateAccessKey",
"iam:CreateLoginProfile",
"iam:DeleteAccessKey",
"iam:DeleteLoginProfile",
"iam:GetLoginProfile",
"iam:ListAccessKeys",
"iam:UpdateAccessKey",
"iam:UpdateLoginProfile",
"iam:ListSigningCertificates",
"iam:DeleteSigningCertificate",
"iam:UpdateSigningCertificate",
"iam:UploadSigningCertificate",
"iam:ListSSHPublicKeys",
"iam:GetSSHPublicKey",
"iam:DeleteSSHPublicKey",
"iam:UpdateSSHPublicKey",
"iam:UploadSSHPublicKey"
]
}
statement {
sid = "AllowIndividualUserToListOnlyTheirOwnMFA"
actions = [
"iam:ListVirtualMFADevices",
"iam:ListMFADevices"
]
resources = [
"arn:aws:iam::*:mfa/*",
"arn:aws:iam::*:user/$${aws:username}"
]
}
statement {
sid = "AllowIndividualUserToManageTheirOwnMFA"
actions = [
"iam:CreateVirtualMFADevice",
"iam:DeleteVirtualMFADevice",
"iam:EnableMFADevice",
"iam:ResyncMFADevice"
]
resources = [
"arn:aws:iam::*:mfa/$${aws:username}",
"arn:aws:iam::*:user/$${aws:username}"
]
}
statement {
sid = "AllowIndividualUserToDeactivateOnlyTheirOwnMFAOnlyWhenUsingMFA"
actions = ["iam:DeactivateMFADevice"]
resources = [
"arn:aws:iam::*:mfa/$${aws:username}",
"arn:aws:iam::*:user/$${aws:username}"
]
condition {
test = "Bool"
variable = "aws:MultiFactorAuthPresent"
values = ["true"]
}
}
statement {
sid = "BlockMostAccessUnlessSignedInWithMFA"
effect = "Deny"
resources = ["*"]
not_actions = [
"iam:CreateVirtualMFADevice",
"iam:DeleteVirtualMFADevice",
"iam:ListVirtualMFADevices",
"iam:EnableMFADevice",
"iam:ResyncMFADevice",
"iam:ListAccountAliases",
"iam:ListUsers",
"iam:ListSSHPublicKeys",
"iam:ListAccessKeys",
"iam:ListServiceSpecificCredentials",
"iam:ListMFADevices",
"iam:GetAccountSummary",
"iam:ChangePassword",
"sts:GetSessionToken"
]
condition {
test = "BoolIfExists"
variable = "aws:MultiFactorAuthPresent"
values = ["false"]
}
}
}
resource "aws_iam_policy" "mfa" {
count = var.enable_mfa ? 1 : 0
name = "ForceMFA"
path = "/"
description = "Policy to enforce MFA"
policy = data.aws_iam_policy_document.force_mfa.json
}