I am trying to add an MFA policy to an existing policy which is created for cloud trail to put trail logs in an S3 bucket,
These are the things I tried:
- If I use "*" in principal for My MFA policy it basically denying for everything even for trails to put logs
- If I use "NotPrincpal" and define service in the MFA policy principal, it still denies cloud trial to put logs; based on the documentation " you must also specify the account ARN of the not-denied principal. Otherwise, the policy might deny access to the entire account containing the principal. Depending on the service that you include in your policy, AWS might validate the account first and then the user."
- The only way I can think is to add all the users in the principle which is not a practical way if we have hundreds of users.
Is there any way I can do this other than 3rd option
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AWSCloudTrailAclCheck20151319",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::cloudtrail-2-15-2021-logs"
},
{
"Sid": "AWSCloudTrailWrite20151319",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::cloudtrail-2-15-2021-logs/AWS SOC Monitering/AWSLogs/AWSIDXXX/*",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
},
{
"Sid": "MFApolicy1",
"Effect": "Deny",
"Principal": {
"AWS": [
"arn:aws:iam::AWSIDXXX:user/ADMIN",
"arn:aws:iam::AWSIDXXX:user/View_testuser",
"arn:aws:iam::AWSIDXXX:user/Security_Auditor"
]
},
"Action": [
"s3:PutObject",
"s3:PutObjectAcl",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::cloudtrail-2-15-2021-logs/*",
"Condition": {
"Bool": {
"aws:MultiFactorAuthPresent": "false"
}
}
}
]
}
