From ed42873dc7e2566e63de01373f575daa8e63ef39 Mon Sep 17 00:00:00 2001 From: Romain BALLAN Date: Tue, 22 Nov 2022 11:57:39 +0100 Subject: [PATCH 1/5] fix: MFA resource name in SelfManagement policy --- modules/iam-group-with-policies/policies.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/iam-group-with-policies/policies.tf b/modules/iam-group-with-policies/policies.tf index ec5e7b32..1aa177ce 100644 --- a/modules/iam-group-with-policies/policies.tf +++ b/modules/iam-group-with-policies/policies.tf @@ -43,7 +43,7 @@ data "aws_iam_policy_document" "iam_self_management" { resources = [ "arn:${local.partition}:iam::${local.aws_account_id}:user/*/$${aws:username}", "arn:${local.partition}:iam::${local.aws_account_id}:user/$${aws:username}", - "arn:${local.partition}:iam::${local.aws_account_id}:mfa/$${aws:username}", + "arn:${local.partition}:iam::${local.aws_account_id}:mfa/*", ] } @@ -73,7 +73,7 @@ data "aws_iam_policy_document" "iam_self_management" { resources = [ "arn:${local.partition}:iam::${local.aws_account_id}:user/*/$${aws:username}", "arn:${local.partition}:iam::${local.aws_account_id}:user/$${aws:username}", - "arn:${local.partition}:iam::${local.aws_account_id}:mfa/$${aws:username}", + "arn:${local.partition}:iam::${local.aws_account_id}:mfa/*", ] condition { From 9d2e1f0040e62ba2c71d60a7b3afc4afea1c776b Mon Sep 17 00:00:00 2001 From: Romain BALLAN Date: Wed, 7 Dec 2022 17:06:42 +0100 Subject: [PATCH 2/5] fix: revert changes and add statements for new MFA resource name --- modules/iam-group-with-policies/policies.tf | 43 ++++++++++++++++++++- 1 file changed, 42 insertions(+), 1 deletion(-) diff --git a/modules/iam-group-with-policies/policies.tf b/modules/iam-group-with-policies/policies.tf index 1aa177ce..50d83cab 100644 --- a/modules/iam-group-with-policies/policies.tf +++ b/modules/iam-group-with-policies/policies.tf @@ -43,7 +43,7 @@ data "aws_iam_policy_document" "iam_self_management" { resources = [ "arn:${local.partition}:iam::${local.aws_account_id}:user/*/$${aws:username}", "arn:${local.partition}:iam::${local.aws_account_id}:user/$${aws:username}", - "arn:${local.partition}:iam::${local.aws_account_id}:mfa/*", + "arn:${local.partition}:iam::${local.aws_account_id}:mfa/$${aws:username}", ] } @@ -59,6 +59,20 @@ data "aws_iam_policy_document" "iam_self_management" { effect = "Allow" } + statement { + sid = "AllowManageOwnVirtualMFADevice" + + actions = [ + "iam:CreateVirtualMFADevice", + ] + + resources = [ + "arn:${local.partition}:iam::${local.aws_account_id}:mfa/*", + ] + + effect = "Allow" + } + # Allow to deactivate MFA only when logging in with MFA statement { sid = "AllowDeactivateMFADevice" @@ -73,6 +87,33 @@ data "aws_iam_policy_document" "iam_self_management" { resources = [ "arn:${local.partition}:iam::${local.aws_account_id}:user/*/$${aws:username}", "arn:${local.partition}:iam::${local.aws_account_id}:user/$${aws:username}", + "arn:${local.partition}:iam::${local.aws_account_id}:mfa/$${aws:username}", + ] + + condition { + test = "Bool" + variable = "aws:MultiFactorAuthPresent" + values = ["true"] + } + + condition { + test = "NumericLessThan" + variable = "aws:MultiFactorAuthAge" + values = ["3600"] + } + } + + # Allow to delete MFA only when logging in with MFA + statement { + sid = "AllowDeleteVirtualMFADevice" + + effect = "Allow" + + actions = [ + "iam:DeleteVirtualMFADevice", + ] + + resources = [ "arn:${local.partition}:iam::${local.aws_account_id}:mfa/*", ] From a191cb23140ea7445998fe8a92525991a9ba1019 Mon Sep 17 00:00:00 2001 From: Romain BALLAN Date: Wed, 11 Jan 2023 16:35:39 +0100 Subject: [PATCH 3/5] fix: rework iam self management policy --- modules/iam-group-with-policies/policies.tf | 166 +++++++++++--------- 1 file changed, 94 insertions(+), 72 deletions(-) diff --git a/modules/iam-group-with-policies/policies.tf b/modules/iam-group-with-policies/policies.tf index 50d83cab..6bd5d88c 100644 --- a/modules/iam-group-with-policies/policies.tf +++ b/modules/iam-group-with-policies/policies.tf @@ -9,124 +9,146 @@ locals { partition = data.aws_partition.current.partition } +# Allows MFA-authenticated IAM users to manage their own credentials on the My security credentials page +# https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_aws_my-sec-creds-self-manage.html data "aws_iam_policy_document" "iam_self_management" { statement { - sid = "AllowSelfManagement" + sid = "AllowViewAccountInfo" + + effect = "Allow" + + actions = [ + "iam:GetAccountPasswordPolicy", + "iam:ListVirtualMFADevices" + ] + + resources = ["*"] + } + + statement { + sid = "AllowManageOwnPasswords" effect = "Allow" actions = [ "iam:ChangePassword", + "iam:GetUser" + ] + + resources = ["arn:${local.partition}:iam::${local.aws_account_id}:user/$${aws:username}"] + } + + statement { + sid = "AllowManageOwnAccessKeys" + + effect = "Allow" + + actions = [ "iam:CreateAccessKey", - "iam:CreateLoginProfile", - "iam:CreateVirtualMFADevice", "iam:DeleteAccessKey", - "iam:DeleteLoginProfile", - "iam:DeleteVirtualMFADevice", - "iam:EnableMFADevice", - "iam:GenerateCredentialReport", - "iam:GenerateServiceLastAccessedDetails", - "iam:Get*", - "iam:List*", - "iam:ResyncMFADevice", - "iam:UpdateAccessKey", - "iam:UpdateLoginProfile", - "iam:UpdateUser", - "iam:UploadSigningCertificate", - "iam:UploadSSHPublicKey", - "iam:TagUser", - "iam:ListUserTags", - "iam:UntagUser", + "iam:ListAccessKeys", + "iam:UpdateAccessKey" ] - # Allow for both users with "path" and without it - resources = [ - "arn:${local.partition}:iam::${local.aws_account_id}:user/*/$${aws:username}", - "arn:${local.partition}:iam::${local.aws_account_id}:user/$${aws:username}", - "arn:${local.partition}:iam::${local.aws_account_id}:mfa/$${aws:username}", - ] - } + resources = ["arn:${local.partition}:iam::${local.aws_account_id}:user/$${aws:username}"] + } statement { - sid = "AllowIAMReadOnly" + sid = "AllowManageOwnSigningCertificates" + + effect = "Allow" actions = [ - "iam:Get*", - "iam:List*", + "iam:DeleteSigningCertificate", + "iam:ListSigningCertificates", + "iam:UpdateSigningCertificate", + "iam:UploadSigningCertificate" ] - resources = ["*"] - effect = "Allow" + resources = ["arn:${local.partition}:iam::${local.aws_account_id}:user/$${aws:username}"] } statement { - sid = "AllowManageOwnVirtualMFADevice" + sid = "AllowManageOwnSSHPublicKeys" + + effect = "Allow" actions = [ - "iam:CreateVirtualMFADevice", + "iam:DeleteSSHPublicKey", + "iam:GetSSHPublicKey", + "iam:ListSSHPublicKeys", + "iam:UpdateSSHPublicKey", + "iam:UploadSSHPublicKey" ] - resources = [ - "arn:${local.partition}:iam::${local.aws_account_id}:mfa/*", - ] + resources = ["arn:${local.partition}:iam::${local.aws_account_id}:user/$${aws:username}"] + } + + statement { + sid = "AllowManageOwnGitCredentials" effect = "Allow" + + actions = [ + "iam:CreateServiceSpecificCredential", + "iam:DeleteServiceSpecificCredential", + "iam:ListServiceSpecificCredentials", + "iam:ResetServiceSpecificCredential", + "iam:UpdateServiceSpecificCredential" + ] + + resources = ["arn:${local.partition}:iam::${local.aws_account_id}:user/$${aws:username}"] } - # Allow to deactivate MFA only when logging in with MFA statement { - sid = "AllowDeactivateMFADevice" + sid = "AllowManageOwnVirtualMFADevice" effect = "Allow" actions = [ - "iam:DeactivateMFADevice", - ] - - # Allow for both users with "path" and without it - resources = [ - "arn:${local.partition}:iam::${local.aws_account_id}:user/*/$${aws:username}", - "arn:${local.partition}:iam::${local.aws_account_id}:user/$${aws:username}", - "arn:${local.partition}:iam::${local.aws_account_id}:mfa/$${aws:username}", + "iam:CreateVirtualMFADevice" ] - condition { - test = "Bool" - variable = "aws:MultiFactorAuthPresent" - values = ["true"] - } - - condition { - test = "NumericLessThan" - variable = "aws:MultiFactorAuthAge" - values = ["3600"] - } + resources = ["arn:${local.partition}:iam::${local.aws_account_id}:mfa/*"] } - # Allow to delete MFA only when logging in with MFA statement { - sid = "AllowDeleteVirtualMFADevice" + sid = "AllowManageOwnUserMFA" effect = "Allow" actions = [ - "iam:DeleteVirtualMFADevice", + "iam:DeactivateMFADevice", + "iam:EnableMFADevice", + "iam:ListMFADevices", + "iam:ResyncMFADevice" ] - resources = [ - "arn:${local.partition}:iam::${local.aws_account_id}:mfa/*", - ] + resources = ["arn:${local.partition}:iam::${local.aws_account_id}:user/$${aws:username}"] - condition { - test = "Bool" - variable = "aws:MultiFactorAuthPresent" - values = ["true"] - } + } + + statement { + sid = "DenyAllExceptListedIfNoMFA" + + effect = "Deny" + + not_actions = [ + "iam:CreateVirtualMFADevice", + "iam:EnableMFADevice", + "iam:GetUser", + "iam:ListMFADevices", + "iam:ListVirtualMFADevices", + "iam:ResyncMFADevice", + "sts:GetSessionToken" +] + + resources = ["*"] condition { - test = "NumericLessThan" - variable = "aws:MultiFactorAuthAge" - values = ["3600"] + test = "BoolIfExists" + variable = "aws:MultiFactorAuthPresent" + values = ["false"] } - } + } } From f96dae8a7eabe97a777e89c4857fa98c0c05752b Mon Sep 17 00:00:00 2001 From: Romain BALLAN Date: Fri, 13 Jan 2023 15:04:51 +0100 Subject: [PATCH 4/5] fix: typo --- modules/iam-group-with-policies/policies.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/iam-group-with-policies/policies.tf b/modules/iam-group-with-policies/policies.tf index 6bd5d88c..9db2ba57 100644 --- a/modules/iam-group-with-policies/policies.tf +++ b/modules/iam-group-with-policies/policies.tf @@ -141,7 +141,7 @@ data "aws_iam_policy_document" "iam_self_management" { "iam:ListVirtualMFADevices", "iam:ResyncMFADevice", "sts:GetSessionToken" -] + ] resources = ["*"] From 708899290b6e001bf1c31a637f6a4046ed23399d Mon Sep 17 00:00:00 2001 From: Romain BALLAN Date: Wed, 18 Jan 2023 12:36:11 +0100 Subject: [PATCH 5/5] chore: terraform fmt --- modules/iam-group-with-policies/policies.tf | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/modules/iam-group-with-policies/policies.tf b/modules/iam-group-with-policies/policies.tf index 9db2ba57..c2b7c318 100644 --- a/modules/iam-group-with-policies/policies.tf +++ b/modules/iam-group-with-policies/policies.tf @@ -14,17 +14,17 @@ locals { data "aws_iam_policy_document" "iam_self_management" { statement { sid = "AllowViewAccountInfo" - + effect = "Allow" - + actions = [ "iam:GetAccountPasswordPolicy", - "iam:ListVirtualMFADevices" + "iam:ListVirtualMFADevices" ] resources = ["*"] } - + statement { sid = "AllowManageOwnPasswords" @@ -36,7 +36,7 @@ data "aws_iam_policy_document" "iam_self_management" { ] resources = ["arn:${local.partition}:iam::${local.aws_account_id}:user/$${aws:username}"] - } + } statement { sid = "AllowManageOwnAccessKeys" @@ -51,7 +51,7 @@ data "aws_iam_policy_document" "iam_self_management" { ] resources = ["arn:${local.partition}:iam::${local.aws_account_id}:user/$${aws:username}"] - } + } statement { sid = "AllowManageOwnSigningCertificates" @@ -83,7 +83,7 @@ data "aws_iam_policy_document" "iam_self_management" { resources = ["arn:${local.partition}:iam::${local.aws_account_id}:user/$${aws:username}"] } - + statement { sid = "AllowManageOwnGitCredentials" @@ -150,5 +150,5 @@ data "aws_iam_policy_document" "iam_self_management" { variable = "aws:MultiFactorAuthPresent" values = ["false"] } - } + } }