AWS CloudFormation Template -Multi-Factor Authentication (MFA) for AWS IAM users

AWS CloudFormation Template -Multi-Factor Authentication (MFA) for AWS IAM users

Introduction:

The provided #AWS CloudFormation template is a powerful tool for enforcing #Multi-Factor Authentication (MFA) policies within an #Amazon Web Services (AWS) Identity and #Access Management (IAM) environment. MFA is a critical security measure that adds an extra layer of protection by requiring users to provide two or more verification factors to access their AWS accounts. This template helps AWS administrators and security personnel implement MFA requirements for IAM users, ensuring enhanced security and access control.

This AWS CloudFormation template is defining an IAM policy for enforcing multi-factor authentication (MFA) for AWS IAM users. Let’s break down the template:

  1. AWSTemplateFormatVersion: This specifies the version of the template format being used.

  2. Description: A brief description of the purpose of this CloudFormation template.

  3. Parameters:

  • EnvironmentName: A parameter to specify the environment name for the application. It's of type String and has a constraint to specify values.

  • IamUserGroupName: A parameter for specifying a comma-separated list of IAM group names.

4. Mappings: There are no mappings defined in this template.

5. Conditions: There are no conditions defined in this template.

6. Resources:

  • MFAPolicy: This is the main resource defined in the template. It's an IAM policy for enforcing MFA. The properties of this resource are as follows:

  • PolicyName: The name of the IAM policy, created using the !Sub function which substitutes ${EnvironmentName}-MFAPolicy.

  • PolicyDocument: The policy document itself, which contains a set of statements. This policy allows specific IAM actions and conditions to enforce MFA.

  • It allows viewing account information, managing one’s own virtual MFA device, and managing one’s own user MFA.

  • It denies all actions except for a specific set of actions if MFA is not present (controlled by the aws:MultiFactorAuthPresent condition).

  • Groups: The IAM groups to which this policy is attached. It uses the Fn::Split function to split the comma-separated values specified in the IamUserGroupName parameter and attach the policy to those IAM groups.

This CloudFormation template is designed to create an IAM policy that enforces MFA for users who are part of specified IAM groups. It allows specific IAM actions for managing MFA and denies actions if MFA is not present. The conditions ensure that MFA is enabled for the specified actions.

Make sure to apply this template with the appropriate values for EnvironmentName and IamUserGroupName to enforce MFA for IAM users in your AWS environment.

Deployment Steps

Follow these steps to upload and create the CloudFormation stack using the #AWS Management Console:

  1. Sign in to the AWS Management Console: Log in to your AWS account if you haven’t already.

2. Navigate to CloudFormation: Go to the #AWS CloudFormation service from the AWS Management Console.

3. Click the “Create stack” button.

4. Upload the CloudFormation template file (YAML).

Yaml :

AWSTemplateFormatVersion: '2010-09-09'

Description: AWS MFA Policy for AWS IAM User

Parameters:
  EnvironmentName:
    Description: Environment name for the application
    Type: String
  IamUserGroupName:
    Type: String
    Description: Enter IAM-Group name comma separated values

Mappings: {}
Conditions: {}

Resources:
    MFAPolicy:
      Type: 'AWS::IAM::Policy'
      Properties:
        PolicyName: !Sub '${EnvironmentName}-MFAPolicy'
        PolicyDocument:
          Version: '2012-10-17'
          Statement:
            - Sid: AllowViewAccountInfo
              Effect: Allow
              Action: iam:ListVirtualMFADevices
              Resource: '*'
            - Sid: AllowManageOwnVirtualMFADevice
              Effect: Allow
              Action:
                - iam:CreateVirtualMFADevice
              Resource: arn:aws:iam::*:mfa/${aws:username}
            - Sid: AllowManageOwnUserMFA
              Effect: Allow
              Action:
                - iam:EnableMFADevice
                - iam:GetUser
                - iam:ListMFADevices
                - iam:ResyncMFADevice
              Resource: arn:aws:iam::*:user/${aws:username}
            - Sid: DenyAllExceptListedIfNoMFA
              Effect: Deny
              NotAction:
                - iam:CreateVirtualMFADevice
                - iam:EnableMFADevice
                - iam:GetUser
                - iam:ListMFADevices
                - iam:ListVirtualMFADevices
                - iam:ResyncMFADevice
                - sts:GetSessionToken
              Resource: '*'
              Condition:
                BoolIfExists:
                  aws:MultiFactorAuthPresent: 'false'
        Groups:
          Fn::Split:
                - ","
                - !Ref IamUserGroupName

5. Specify Stack Details:

  • Enter a Stack name for your deployment.

  • Provide parameter values as needed.

  • Review and acknowledge the capabilities .

  • You can set additional stack options or tags if necessary.

6. Review and Create:

  • Review the stack details and configuration.

  • Click “Create stack” to initiate the deployment.

7. Monitor Stack Creation:

  • The CloudFormation stack creation process will begin.

  • Monitor the stack events in the AWS Management Console.

Conclusion :-

In conclusion, the AWS CloudFormation template presented here is a valuable resource for organizations looking to enhance the security of their AWS accounts and resources. By mandating Multi-Factor Authentication for IAM users, you can reduce the risk of unauthorized access and data breaches. The template’s flexibility allows it to be employed in various settings, from development and testing to production environments.

As AWS continues to evolve and security threats become more sophisticated, tools like this CloudFormation template are vital for maintaining a robust security posture. AWS administrators can utilize this template as part of their security strategy, helping to ensure that MFA is consistently enforced for IAM users. This not only safeguards sensitive data and resources but also aligns with best practices for security in the AWS ecosystem.