Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: Allow multiple MFA devices and users to manage MFA devices #313

Merged
merged 8 commits into from
Jan 19, 2023

Conversation

rballan
Copy link
Contributor

@rballan rballan commented Nov 22, 2022

Description

Fix the IAMSelfManagement policy to allow virtual MFA devices creation.

Due to this new feature, the resource name of virtual MFA devices change and the policy doesn't work anymore.

The wildcard in the MFA resource name is required now, because the user must specify a name for his virtual MFA device, and this is a part of the resource name.

Motivation and Context

Breaking Changes

How Has This Been Tested?

  • I have updated at least one of the examples/* to demonstrate and validate my change(s)
  • I have tested and validated these changes using one or more of the provided examples/* projects
  • I have executed pre-commit run -a on my pull request
  • I have directly edited the IAMSelfManagement policy and added successfully a new virtual MFA device.

@@ -43,7 +43,7 @@ data "aws_iam_policy_document" "iam_self_management" {
resources = [
"arn:${local.partition}:iam::${local.aws_account_id}:user/*/$${aws:username}",
"arn:${local.partition}:iam::${local.aws_account_id}:user/$${aws:username}",
"arn:${local.partition}:iam::${local.aws_account_id}:mfa/$${aws:username}",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we should make this a variable where the default is the current behavior, but users can override with a wildcard for multiple MFA devices

Copy link
Contributor Author

@rballan rballan Nov 24, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I will take another look to confirm (create a new IAM user and try to add a virtual MFA device with current IAMSelfManagement policy).
But it seems to me that since this new feature was released, the very first MFA device resource ARN take the name defined by user during his creation : arn:aws:iam::<aws_account_id>:mfa/<virtual_mfa_device_name>

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry for not getting back to you sooner, but after a new test, I can confirm the issue.

I have tested the following scenarios from a brand-new IAM user deployed with the module :

  • Add virtual MFA device : 👎
  • Remove existing virtual MFA device : 👎

After modifying the IAMSelfManagement policy with arn:aws:iam::<aws_account_id>:mfa/* :

  • Add virtual MFA device : 👍
  • Remove existing virtual MFA device when logged in without MFA : not working, that's normal 👍
  • Remove virtual MFA device : 👍

The day after the PR, I noticed that the AWS documentation was updated : see AllowManageOwnVirtualMFADevice statement.
But this is not updated everywhere yet.

Copy link
Member

@bryantbiggs bryantbiggs Dec 7, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

awesome, thank you for investigating!

  1. I see, you are absolutely correct on the wildcard
  2. However, we need to really update our policy. Could you update to match what they have provided in that doc which is more scoped now when we introduce wildcards. Note: I didn't fully check/compare so please do that - but we should look to split out to multiple statements based on the resource being specified
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowViewAccountInfo",
            "Effect": "Allow",
            "Action": "iam:ListVirtualMFADevices",
            "Resource": "*"
        },
        {
            "Sid": "AllowManageOwnVirtualMFADevice",
            "Effect": "Allow",
            "Action": [
                "iam:CreateVirtualMFADevice"
            ],
            "Resource": "arn:aws:iam::*:mfa/*"
        },
        {
            "Sid": "AllowManageOwnUserMFA",
            "Effect": "Allow",
            "Action": [
                "iam:DeactivateMFADevice",
                "iam:EnableMFADevice",
                "iam:GetUser",
                "iam:ListMFADevices",
                "iam:ResyncMFADevice"
            ],
            "Resource": "arn:aws:iam::*:user/${aws:username}"
        },
        {
            "Sid": "DenyAllExceptListedIfNoMFA",
            "Effect": "Deny",
            "NotAction": [
                "iam:CreateVirtualMFADevice",
                "iam:EnableMFADevice",
                "iam:GetUser",
                "iam:ListMFADevices",
                "iam:ListVirtualMFADevices",
                "iam:ResyncMFADevice",
                "sts:GetSessionToken"
            ],
            "Resource": "*",
            "Condition": {
                "BoolIfExists": {"aws:MultiFactorAuthPresent": "false"}
            }
        }
    ]
}

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To have a more scoped policy with no impacts, I made few changes :

  • Rollback previous changes (AllowSelfManagement & AllowDeactivateMFADevice statements)
  • Add 2 more explicit statements :
    • AllowManageOwnVirtualMFADevice => to allow action iam:CreateVirtualMFADevice with the correct resource name
    • AllowDeleteVirtualMFADevice => to allow the action with the correct resource name

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hello,

I made few changes here, according to this AWS documentation .

The AWS policy allows IAM users that are authenticated using multi-factor authentication (MFA) to manage their own credentials on the My security credentials page. It also requires the user to set up and authenticate using MFA before performing any other operations in AWS !

In real terms, that enforce MFA utilization. Because the IAM user cannot do anything before his MFA is configured, and he is authenticated with.

This is a great security improvement but this is a big change too. Is it what we want ?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@bryantbiggs Are you OK with that ?

If you're not, I can try to add a new variable to allow the user to choose between the standard policy (which do not force MFA utilization) or the more secure (which force MFA).

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes, I think this looks great and a good improvement; thank you

@github-actions github-actions bot added the stale label Jan 7, 2023
@terraform-aws-modules terraform-aws-modules deleted a comment from github-actions bot Jan 7, 2023
@bryantbiggs bryantbiggs added wip and removed stale labels Jan 7, 2023
Copy link
Member

@bryantbiggs bryantbiggs left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks great, thank you - @antonbabenko what do you think?

@bryantbiggs bryantbiggs changed the title fix: MFA resource name in SelfManagement policy feat: Allow multiple MFA devices and for users to manage MFA devices Jan 19, 2023
Copy link
Member

@antonbabenko antonbabenko left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@rballan rballan changed the title feat: Allow multiple MFA devices and for users to manage MFA devices feat: Allow multiple MFA devices and users to manage MFA devices Jan 19, 2023
@bryantbiggs bryantbiggs merged commit 57a5d70 into terraform-aws-modules:master Jan 19, 2023
antonbabenko pushed a commit that referenced this pull request Jan 19, 2023
## [5.11.0](v5.10.0...v5.11.0) (2023-01-19)

### Features

* Allow multiple MFA devices and users to manage MFA devices ([#313](#313)) ([57a5d70](57a5d70))
@antonbabenko
Copy link
Member

This PR is included in version 5.11.0 🎉

@github-actions
Copy link

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Feb 19, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Unable to register new virtual MFA device with current IAMSelfManagement policy
3 participants