AWS IAM: Adding "exeption" for identity-based policy

Question

following AWS documentation I attached a policy to my group admin to enforce that the group's permissions are only available for those users that have MFA enabled

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "BlockMostAccessUnlessSignedInWithMFA",
            "Effect": "Deny",
            "NotAction": [
                "iam:CreateVirtualMFADevice",
                "iam:DeleteVirtualMFADevice",
                "iam:ListVirtualMFADevices",
                "iam:DeactivateMFADevice",
                "iam:EnableMFADevice",
                "iam:ListMFADevices",
                "iam:ResyncMFADevice",
                "iam:GetAccountSummary",
                "sts:GetSessionToken"
            ],
            "Resource": "*",
            "Condition": {
                "Bool": {
                    "aws:MultiFactorAuthPresent": "false"
                }
            }
        }
    ]
}

My problem is that I have a bot (let's call it arn:aws:iam::12345678:user/my-bot) that is part of that admin group and it doesn't have MFA enabled. So far I thought of these two options

Putting my bot in a different group where the EnforceMFA policy is not present (duplicating code)
Somehow enable MFA for the bot (although I don't like that option)

Is there a way I could add an exception/condition in my EnforceMFA policy that says "for this specific user don't apply this Deny")

Thanks in advance

f7o · Accepted Answer · 2020-10-29T16:47:16.470

1

You could create a tag for your bot user and add another Condition, tag your service account to identify it.

{
   "Condition": {
      "Bool": {
                    "aws:MultiFactorAuthPresent": "false"
                },
      "StringNotEqual": {
            "iam:ResourceTag/type": "bot"
      }
   }
}

Additionally create a policy which denies changing the users tags.

If you just like to exclude a particular user, you can use the aws:PrincipalArn global condition your policy to apply the deny for all user except the one specified: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html

In combination with StringNotEqual that will work!

edited Oct 29 '20 at 16:47

answered Oct 25 '20 at 17:03

f7o

663
4
8

1

Thanks for your answer. Do you know if I could do something similar but using the user's id/name instead of a tag assigned to the user? – jbbb Oct 29 '20 at 16:43
I included a solution for in my answer – f7o Oct 29 '20 at 16:47
Sorry misunderstood you question. edited the answer once more ;) – f7o Oct 29 '20 at 16:50
1

Thanks for your message. What I end up doing is this, although I'm still testing if it's a valid solution: `"Condition": { "Bool": { "aws:MultiFactorAuthPresent" : "false" }, "StringNotEquals" : { "aws:username" : "my-bot" } }` – jbbb Nov 02 '20 at 16:33
1

Also a valid approach. The `PrincipalArn` is just more generic. – f7o Nov 02 '20 at 16:42

AWS IAM: Adding "exeption" for identity-based policy

1 Answers1