AWS CloudFormation Template -Multi-Factor Authentication (MFA) for AWS IAM users
Introduction:
The provided #AWS CloudFormation template is a powerful tool for enforcing #Multi-Factor Authentication (MFA) policies within an #Amazon Web Services (AWS) Identity and #Access Management (IAM) environment. MFA is a critical security measure that adds an extra layer of protection by requiring users to provide two or more verification factors to access their AWS accounts. This template helps AWS administrators and security personnel implement MFA requirements for IAM users, ensuring enhanced security and access control.
This AWS CloudFormation template is defining an IAM policy for enforcing multi-factor authentication (MFA) for AWS IAM users. Let’s break down the template:
AWSTemplateFormatVersion: This specifies the version of the template format being used.
Description: A brief description of the purpose of this CloudFormation template.
Parameters:
EnvironmentName
: A parameter to specify the environment name for the application. It's of type String and has a constraint to specify values.IamUserGroupName
: A parameter for specifying a comma-separated list of IAM group names.
4. Mappings: There are no mappings defined in this template.
5. Conditions: There are no conditions defined in this template.
6. Resources:
MFAPolicy
: This is the main resource defined in the template. It's an IAM policy for enforcing MFA. The properties of this resource are as follows:PolicyName
: The name of the IAM policy, created using the!Sub
function which substitutes${EnvironmentName}-MFAPolicy
.PolicyDocument
: The policy document itself, which contains a set of statements. This policy allows specific IAM actions and conditions to enforce MFA.It allows viewing account information, managing one’s own virtual MFA device, and managing one’s own user MFA.
It denies all actions except for a specific set of actions if MFA is not present (controlled by the
aws:MultiFactorAuthPresent
condition).Groups
: The IAM groups to which this policy is attached. It uses theFn::Split
function to split the comma-separated values specified in theIamUserGroupName
parameter and attach the policy to those IAM groups.
This CloudFormation template is designed to create an IAM policy that enforces MFA for users who are part of specified IAM groups. It allows specific IAM actions for managing MFA and denies actions if MFA is not present. The conditions ensure that MFA is enabled for the specified actions.
Make sure to apply this template with the appropriate values for EnvironmentName
and IamUserGroupName
to enforce MFA for IAM users in your AWS environment.
Deployment Steps
Follow these steps to upload and create the CloudFormation stack using the #AWS Management Console:
- Sign in to the AWS Management Console: Log in to your AWS account if you haven’t already.
2. Navigate to CloudFormation: Go to the #AWS CloudFormation service from the AWS Management Console.
3. Click the “Create stack” button.
4. Upload the CloudFormation template file (YAML).
Yaml :
AWSTemplateFormatVersion: '2010-09-09'
Description: AWS MFA Policy for AWS IAM User
Parameters:
EnvironmentName:
Description: Environment name for the application
Type: String
IamUserGroupName:
Type: String
Description: Enter IAM-Group name comma separated values
Mappings: {}
Conditions: {}
Resources:
MFAPolicy:
Type: 'AWS::IAM::Policy'
Properties:
PolicyName: !Sub '${EnvironmentName}-MFAPolicy'
PolicyDocument:
Version: '2012-10-17'
Statement:
- Sid: AllowViewAccountInfo
Effect: Allow
Action: iam:ListVirtualMFADevices
Resource: '*'
- Sid: AllowManageOwnVirtualMFADevice
Effect: Allow
Action:
- iam:CreateVirtualMFADevice
Resource: arn:aws:iam::*:mfa/${aws:username}
- Sid: AllowManageOwnUserMFA
Effect: Allow
Action:
- iam:EnableMFADevice
- iam:GetUser
- iam:ListMFADevices
- iam:ResyncMFADevice
Resource: arn:aws:iam::*:user/${aws:username}
- Sid: DenyAllExceptListedIfNoMFA
Effect: Deny
NotAction:
- iam:CreateVirtualMFADevice
- iam:EnableMFADevice
- iam:GetUser
- iam:ListMFADevices
- iam:ListVirtualMFADevices
- iam:ResyncMFADevice
- sts:GetSessionToken
Resource: '*'
Condition:
BoolIfExists:
aws:MultiFactorAuthPresent: 'false'
Groups:
Fn::Split:
- ","
- !Ref IamUserGroupName
5. Specify Stack Details:
Enter a Stack name for your deployment.
Provide parameter values as needed.
Review and acknowledge the capabilities .
You can set additional stack options or tags if necessary.
6. Review and Create:
Review the stack details and configuration.
Click “Create stack” to initiate the deployment.
7. Monitor Stack Creation:
The CloudFormation stack creation process will begin.
Monitor the stack events in the AWS Management Console.
Conclusion :-
In conclusion, the AWS CloudFormation template presented here is a valuable resource for organizations looking to enhance the security of their AWS accounts and resources. By mandating Multi-Factor Authentication for IAM users, you can reduce the risk of unauthorized access and data breaches. The template’s flexibility allows it to be employed in various settings, from development and testing to production environments.
As AWS continues to evolve and security threats become more sophisticated, tools like this CloudFormation template are vital for maintaining a robust security posture. AWS administrators can utilize this template as part of their security strategy, helping to ensure that MFA is consistently enforced for IAM users. This not only safeguards sensitive data and resources but also aligns with best practices for security in the AWS ecosystem.
Subscribe to my newsletter
Read articles from Mahira Technology Private Limited directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by
Mahira Technology Private Limited
Mahira Technology Private Limited
A leading tech consulting firm specializing in innovative solutions. Experts in cloud, DevOps, automation, data analytics & more. Trusted technology partner.