Question 422432 in Amazon Web Sevices Question posted in
The official Amazon Web Services documentation can be found here.

Amazon web services – Why is this IAM policy denying access with an MFA session?

We’ve been modifying our IAM policies for the rest of the team. They should only be allowed to do most things if MFA is active for their session. Even when they have an MFA session, they cannot access any S3 bucket, or start an SSM session. If I add the actions to the DenyAllExceptListedIfNoMFA, they will work of course. But I don’t see why they are explicitly denied when they use a session with MFA.
Can someone point out my fault? This is the only policy that is applied.

{
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "AllowAdmin",
        "Effect": "Allow",
        "NotAction": [
            "iam:CreatePolicy",
            "iam:AttachUserPolicy",
            "iam:AttachRolePolicy",
            "iam:AttachGroupPolicy",
            "iam:DeletePolicy",
            "iam:DeleteGroupPolicy",
            "iam:DeleteAccountPasswordPolicy",
            "iam:DeletePolicyVersion",
            "iam:DeleteRolePolicy",
            "iam:DeleteUserPolicy",
            "iam:DetachGroupPolicy",
            "iam:DetachRolePolicy",
            "iam:DetachUserPolicy",
            "iam:PutGroupPolicy",
            "iam:PutRolePolicy",
            "iam:PutUserPolicy",
            "iam:SetDefaultPolicyVersion",
            "iam:UpdateAssumeRolePolicy",
            "iam:CreatePolicyVersion",
            "iam:UpdateUser",
            "iam:DeleteUser",
            "iam:CreateUser",
            "iam:RemoveUserFromGroup",
            "iam:AddUserToGroup",
            "iam:ListUserPolicies",
            "iam:ListAttachedGroupPolicies",
            "iam:ListAttachedRolePolicies",
            "iam:ListAttachedUserPolicies",
            "iam:ListGroupPolicies",
            "iam:ListPolicies",
            "iam:ListRolePolicies",
            "account:GetAccountInformation",
            "account:GetPrimaryEmail",
            "account:GetRegionOptStatus",
            "account:AcceptPrimaryEmailUpdate",
            "account:EnableRegion",
            "account:DisableRegion",
            "account:PutAlternateContact",
            "account:PutChallengeQuestions",
            "account:DeleteAlternateContact",
            "account:StartPrimaryEmailUpdate",
            "account:CloseAccount",
            "account:PutContactInformation"
        ],
        "Resource": "*"
    },
    {
        "Sid": "AllowViewAccountInfo",
        "Effect": "Allow",
        "Action": [
            "iam:GetAccountPasswordPolicy",
            "iam:ListVirtualMFADevices"
        ],
        "Resource": "*"
    },
    {
        "Sid": "AllowManageOwnPasswords",
        "Effect": "Allow",
        "Action": [
            "iam:ChangePassword",
            "iam:GetUser"
        ],
        "Resource": "arn:aws:iam::*:user/${aws:username}"
    },
    {
        "Sid": "AllowManageOwnAccessKeys",
        "Effect": "Allow",
        "Action": [
            "iam:CreateAccessKey",
            "iam:DeleteAccessKey",
            "iam:ListAccessKeys",
            "iam:UpdateAccessKey",
            "iam:GetAccessKeyLastUsed"
        ],
        "Resource": "arn:aws:iam::*:user/${aws:username}"
    },
    {
        "Sid": "AllowManageOwnSigningCertificates",
        "Effect": "Allow",
        "Action": [
            "iam:DeleteSigningCertificate",
            "iam:ListSigningCertificates",
            "iam:UpdateSigningCertificate",
            "iam:UploadSigningCertificate"
        ],
        "Resource": "arn:aws:iam::*:user/${aws:username}"
    },
    {
        "Sid": "AllowManageOwnSSHPublicKeys",
        "Effect": "Allow",
        "Action": [
            "iam:DeleteSSHPublicKey",
            "iam:GetSSHPublicKey",
            "iam:ListSSHPublicKeys",
            "iam:UpdateSSHPublicKey",
            "iam:UploadSSHPublicKey"
        ],
        "Resource": "arn:aws:iam::*:user/${aws:username}"
    },
    {
        "Sid": "AllowManageOwnGitCredentials",
        "Effect": "Allow",
        "Action": [
            "iam:CreateServiceSpecificCredential",
            "iam:DeleteServiceSpecificCredential",
            "iam:ListServiceSpecificCredentials",
            "iam:ResetServiceSpecificCredential",
            "iam:UpdateServiceSpecificCredential"
        ],
        "Resource": "arn:aws:iam::*:user/${aws:username}"
    },
    {
        "Sid": "AllowManageOwnVirtualMFADevice",
        "Effect": "Allow",
        "Action": [
            "iam:CreateVirtualMFADevice"
        ],
        "Resource": "arn:aws:iam::*:mfa/*"
    },
    {
        "Sid": "AllowManageOwnUserMFA",
        "Effect": "Allow",
        "Action": [
            "iam:DeactivateMFADevice",
            "iam:EnableMFADevice",
            "iam:ListMFADevices",
            "iam:ResyncMFADevice"
        ],
        "Resource": "arn:aws:iam::*:user/${aws:username}"
    },
    {
        "Sid": "DenyAllExceptListedIfNoMFA",
        "Effect": "Deny",
        "NotAction": [
            "iam:CreateVirtualMFADevice",
            "iam:EnableMFADevice",
            "iam:GetUser",
            "iam:GetMFADevice",
            "iam:ListMFADevices",
            "iam:ListVirtualMFADevices",
            "iam:ResyncMFADevice",
            "sts:GetSessionToken",
        ],
        "Resource": "*",
        "Condition": {
            "BoolIfExists": {
                "aws:MultiFactorAuthPresent": "false"
            }
        }
    }
]

}

Tags:

2

Answers


  1. Chosen as BEST ANSWER
    0

    As mentioned by @root69 , I enforced MFA on the trust policy and removed it from the regular policy and now it works.


  2. 0

    The issue is that MFA enforcement can differ from attaching policies directly to users and using assume role. I would create one policy that assumes the role and ensures MFA is present and a trust policy that ensures the role enforces MFA during assumption.
    MFA needs to be enforced on the trust policy and removed from the regular policy.

    As discussed and confirmed by @Vincent Verbist.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search