0

I wanted to try a new approach to configuring and enforcing some actions from my AWS IAM users in which they are denied access to certain actions on console unless they have performed a specific action (like adding a tag to themselves or activating a MFA device). Yes it would be a composite condition and the second part is dealt with.

For that I would need to allow different actions when the user is authenticated using their access key or using their username/password (namely using the aws web console). But I can't seem to find any way to identify that.

So I guess the exact question is:

Is there a condition for policies that would allow or deny an action specifically when the user is authenticated by user/pass and not using their access key?

I have tried reading the whole documentation for aws policy conditionals but couldn't find any condition that suits those needs. Hoping to find someone creative that had the same problem on the internet I tried browsing, but my google-fu seems to be bad because every query leaves me with thousands of tutorials on how to provide or deny console access to a user, period.

Szzaass
  • 1,090
  • 1
  • 7
  • 10
  • 1
    *"Is there a condition for policies that would allow or deny an action specifically when the user is using the web console?"* - no, there is not, and neither does it make sense to have something like that. The web console is just a frontend to the API, the CLI is just another kind of frontend basically. – luk2302 Jul 11 '23 at 15:14
  • Would it make more sense if I phrased it "using the user/pass authentication against access key authentication"? – Szzaass Jul 11 '23 at 16:10
  • You could investigate writing conditions based upon [UserAgent](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-useragent). I'm not sure it's a good idea to do that but I don't know your underlying rationale. – jarmod Jul 11 '23 at 16:25
  • That's something to think about =) – Szzaass Jul 11 '23 at 16:28
  • 1
    You could try requiring your Console users to use MFA but ban your users from calling `sts:GetSessionToken`, then grant different permissions based on whether MFA is present? Not sure if this will work -- I don't know if Console login with MFA depends on `sts:GetSessionToken`. – user3553031 Jul 12 '23 at 06:38
  • I will definitely look into the `sts:GetSessionToken` suggestion, I have de-prioritized the issue though so it might take a while. If I find a viable solution I'll make sure to post here. – Szzaass Jul 31 '23 at 19:43

0 Answers0