AWS IAM Policy to give ReadOnly access if MFA is not enabled

Question

We are trying to implement mandatory MFA for all IAM users. If user does not have MFA, they we have only 'Read' access to all services.

Tried to create custom policy using adminaccess policy as base. We added condition that says if MfaAuthPresent:False, then give readonly access.

We copied the aws created readonly policy & pasted in json of policy we are creating. But shows character limit has exceeded 6140.

Is there anyway to resolve this without raising any support ticket to increase character limit?

user3553031 · Accepted Answer · 2023-04-24T16:45:15.747

You seem to be trying to structure your Policies like this:

if MFA present:
    grant admin
else:
    grant read-only

However, keep in mind that admin is a super-set of read-only and that IAM principals can have more than one attached Policy. So this structure is exactly the same:

grant read-only
if MFA present:
    grant admin

Accordingly, you can attach the unmodified ReadOnlyAccess Policy to your principals. Then attach a second Policy that looks something like this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "*",
            "Resource": "*",
            "Condition": {
                "Bool" : {
                    "aws:MultiFactorAuthPresent" : "true" 
                }
            }
        }
    ]
}

AWS IAM Policy to give ReadOnly access if MFA is not enabled

1 Answers1