following AWS documentation I attached a policy to my group admin to enforce that the group's permissions are only available for those users that have MFA enabled
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "BlockMostAccessUnlessSignedInWithMFA",
"Effect": "Deny",
"NotAction": [
"iam:CreateVirtualMFADevice",
"iam:DeleteVirtualMFADevice",
"iam:ListVirtualMFADevices",
"iam:DeactivateMFADevice",
"iam:EnableMFADevice",
"iam:ListMFADevices",
"iam:ResyncMFADevice",
"iam:GetAccountSummary",
"sts:GetSessionToken"
],
"Resource": "*",
"Condition": {
"Bool": {
"aws:MultiFactorAuthPresent": "false"
}
}
}
]
}
My problem is that I have a bot (let's call it arn:aws:iam::12345678:user/my-bot) that is part of that admin group and it doesn't have MFA enabled. So far I thought of these two options
- Putting my bot in a different group where the EnforceMFA policy is not present (duplicating code)
- Somehow enable MFA for the bot (although I don't like that option)
Is there a way I could add an exception/condition in my EnforceMFA policy that says "for this specific user don't apply this Deny")
Thanks in advance
You could create a tag for your bot user and add another Condition, tag your service account to identify it.
Additionally create a policy which denies changing the users tags.
If you just like to exclude a particular user, you can use the
aws:PrincipalArnglobal condition your policy to apply the deny for all user except the one specified: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.htmlIn combination with StringNotEqual that will work!