AWS Policy for MFA Required for console but not CLI

Question

I am trying to figure out an AWS Policy that will make it so MFA is enforced for Console users but not for CLI users, anyone have any ideas for this?

No matter what I do I can't seem to exclude CLI users. This is what I have been using.

I have tried changing lines 102-104 as a reverse version but when I do that I lose all access to AWS except through CLI..

{
  "Version": "2012-10-17",
  "Statement": [
    {
        "Sid": "AllowViewAccountInfo",
        "Effect": "Allow",
        "Action": [
            "iam:GetAccountPasswordPolicy",
            
            "iam:ListVirtualMFADevices"
        ],
        "Resource": "*"
    },       
    {
        "Sid": "AllowManageOwnPasswords",
        "Effect": "Allow",
        "Action": [
            "iam:ChangePassword",
            "iam:GetUser"
        ],
        "Resource": "arn:aws:iam::*:user/${aws:username}"
    },
    {
        "Sid": "AllowManageOwnAccessKeys",
        "Effect": "Allow",
        "Action": [
            "iam:CreateAccessKey",
            "iam:DeleteAccessKey",
            "iam:ListAccessKeys",
            "iam:UpdateAccessKey"
        ],
        "Resource": "arn:aws:iam::*:user/${aws:username}"
    },
    {
        "Sid": "AllowManageOwnSigningCertificates",
        "Effect": "Allow",
        "Action": [
            "iam:DeleteSigningCertificate",
            "iam:ListSigningCertificates",
            "iam:UpdateSigningCertificate",
            "iam:UploadSigningCertificate"
        ],
        "Resource": "arn:aws:iam::*:user/${aws:username}"
    },
    {
        "Sid": "AllowManageOwnSSHPublicKeys",
        "Effect": "Allow",
        "Action": [
            "iam:DeleteSSHPublicKey",
            "iam:GetSSHPublicKey",
            "iam:ListSSHPublicKeys",
            "iam:UpdateSSHPublicKey",
            "iam:UploadSSHPublicKey"
        ],
        "Resource": "arn:aws:iam::*:user/${aws:username}"
    },
    {
        "Sid": "AllowManageOwnGitCredentials",
        "Effect": "Allow",
        "Action": [
            "iam:CreateServiceSpecificCredential",
            "iam:DeleteServiceSpecificCredential",
            "iam:ListServiceSpecificCredentials",
            "iam:ResetServiceSpecificCredential",
            "iam:UpdateServiceSpecificCredential"
        ],
        "Resource": "arn:aws:iam::*:user/${aws:username}"
    },
    {
        "Sid": "AllowManageOwnVirtualMFADevice",
        "Effect": "Allow",
        "Action": [
            "iam:CreateVirtualMFADevice",
            "iam:DeleteVirtualMFADevice"
        ],
        "Resource": "arn:aws:iam::*:mfa/${aws:username}"
    },
    {
        "Sid": "AllowManageOwnUserMFA",
        "Effect": "Allow",
        "Action": [
            "iam:DeactivateMFADevice",
            "iam:EnableMFADevice",
            "iam:ListMFADevices",
            "iam:ResyncMFADevice"
        ],
        "Resource": "arn:aws:iam::*:user/${aws:username}"
    },
    {
        "Sid": "DenyAllExceptListedIfNoMFA",
        "Effect": "Deny",
        "NotAction": [
            "iam:CreateVirtualMFADevice",
            "iam:EnableMFADevice",
            "iam:GetUser",
            "iam:ListMFADevices",
            "iam:ListVirtualMFADevices",
            "iam:ResyncMFADevice",
            "sts:GetSessionToken"
        ],
        "Resource": "*",
        "Condition": {
            "BoolIfExists": {
                "aws:MultiFactorAuthPresent": "false"
            }
        }
    }
  ]
}

John Rotenstein · Answer 1 · 2022-09-23T00:06:36.667

1

The AWS Management Console makes API calls on behalf of users. Therefore, the same policy would apply to API calls as console calls.

Therefore, if you want a different set of rules to apply within the AWS Management Console, you would need to create a separate IAM User that has:

A password for login to the console
Does not have an Access Key & Secret Key (so they can't use the CLI)
Requires Multi-Factor Authentication

edited Sep 23 '22 at 00:06

answered Sep 13 '21 at 23:49

John Rotenstein

241,921
22
380
470

Is there an article to follow this up? My higher ups are not going to believe that that is the only way, which I thought was the answer to begin with. Just looking for some more ammo to bring to bare when needed. Thanks! – Norrec Sep 13 '21 at 23:51
There is no distinction between calls from the console and calls to the API. It's hard to show you an article saying that something that isn't possible actually isn't possible. (It's like asking for proof that a car key is still required if somebody other than you drives your car.) – John Rotenstein Sep 14 '21 at 00:19
@JohnRotenstein Your answer says "Does *not* require Multi-Factor Authentication". Wouldn't you want the separate IAM User *to* require MFA so that the existing users with CLI access *don't* require MFA? – davemyron Sep 22 '22 at 16:00
@davemyron You're right -- fixed! – John Rotenstein Sep 23 '22 at 00:06

AWS Policy for MFA Required for console but not CLI

1 Answers1