Search code examples
amazon-web-servicesamazon-iamaws-policies

AWS IAM: Adding "exeption" for identity-based policy


following AWS documentation I attached a policy to my group admin to enforce that the group's permissions are only available for those users that have MFA enabled

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "BlockMostAccessUnlessSignedInWithMFA",
            "Effect": "Deny",
            "NotAction": [
                "iam:CreateVirtualMFADevice",
                "iam:DeleteVirtualMFADevice",
                "iam:ListVirtualMFADevices",
                "iam:DeactivateMFADevice",
                "iam:EnableMFADevice",
                "iam:ListMFADevices",
                "iam:ResyncMFADevice",
                "iam:GetAccountSummary",
                "sts:GetSessionToken"
            ],
            "Resource": "*",
            "Condition": {
                "Bool": {
                    "aws:MultiFactorAuthPresent": "false"
                }
            }
        }
    ]
}

My problem is that I have a bot (let's call it arn:aws:iam::12345678:user/my-bot) that is part of that admin group and it doesn't have MFA enabled. So far I thought of these two options

  1. Putting my bot in a different group where the EnforceMFA policy is not present (duplicating code)
  2. Somehow enable MFA for the bot (although I don't like that option)

Is there a way I could add an exception/condition in my EnforceMFA policy that says "for this specific user don't apply this Deny")

Thanks in advance


Solution

  • You could create a tag for your bot user and add another Condition, tag your service account to identify it.

    {
       "Condition": {
          "Bool": {
                        "aws:MultiFactorAuthPresent": "false"
                    },
          "StringNotEqual": {
                "iam:ResourceTag/type": "bot"
          }
       }
    }
    
    

    Additionally create a policy which denies changing the users tags.

    If you just like to exclude a particular user, you can use the aws:PrincipalArn global condition your policy to apply the deny for all user except the one specified: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html

    In combination with StringNotEqual that will work!