如何强制IAM用户使用多因素身份验证来使用控制台? [英] How to enforce IAM users to use multi factor authentication to use the console?

问题描述

我想要求IAM用户在登录AWS控制台时使用MFA.我知道，对于 API访问权限，可以这样做，但不能确保登录到控制台时是否有可能达到相同的目的.

I'd like to require the usage of MFA to IAM users when they log into the AWS Console. I know that's possible to do that for API access, but not sure whether is possible to achieve the same when logging into the Console.

推荐答案

更新

您可以使用基于 IAM政策的实施要求在指定aws的 IAM条件上:如

Update

You can enforce your requirement with an IAM Policy based on an IAM condition that specifies the aws:MultiFactorAuthAge key as outlined in section IAM Policies with MFA Conditions within Configuring MFA-Protected API Access - you can enforce this at two levels:

• 存在-要简单地验证用户是否已通过MFA进行身份验证，请检查aws:MultiFactorAuthAge密钥是否不为null. (如果 用户尚未通过MFA进行身份验证，此密钥不存在，并且 因此为null.)
• 持续时间-如果您只想在MFA身份验证后的指定时间内授予访问权限，请使用数字条件类型来比较 密钥的使用期限(例如3600秒).

• Existence — To simply verify that the user has been authenticated with MFA, check that the aws:MultiFactorAuthAge key is not null. (If the user has not been authenticated with MFA, this key doesn't exist and therefore is null.)
• Duration — If you want to grant access only within a specified time after MFA authentication, use a numeric condition type to compare the key's age to a value (such as 3600 seconds).

相应地，仅用于测试MFA身份验证的所有AWS操作的通用IAM策略可能如下所示:

Accordingly, a generic IAM policy for all AWS actions that simply tests for the existence of MFA authentication might look as follows:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "*",
      "Resource": "*", 
      "Condition":
      {
          "Null":{"aws:MultiFactorAuthAge":"false"}
      }
    }
  ]
}

初始答案

这是仅能正常工作"的情况，即对于 AWS管理控制台，具体而言，该控制台依次使用该API，并相应地使用已登录用户的IAM凭据调用每个API操作(一旦用户配置并启用了MFA设备，则登录页面将需要输入自动生成MFA令牌)-另请参见

Initial Answer

This is a case of 'it just works', i.e. there's nothing to be done regarding MFA-Protected Access for the AWS Management Console specifically, insofar the console uses the API in turn and calls every API action with the logged in user's IAM credentials accordingly (once a user has configured and enabled an MFA device, the login page will require entering the MFA token automatically) - see also section Using MFA-Protected APIs Through the Console within Configuring MFA-Protected API Access:

AWS为控制台中的操作评估受MFA保护的API策略，例如终止Amazon EC2实例.使用MFA设备设置IAM用户并启用受MFA保护的API策略.然后，用户可以使用MFA身份验证简单地登录到控制台，并受MFA保护的API的策略的约束.对于已经分配了MFA设备的用户，控制台体验不会改变(除了某些需要更频繁地重新认证的受MFA保护的API的可选时间限制).有关使用MFA设备设置IAM用户的更多信息，请参见设置MFA设备.

这篇关于如何强制IAM用户使用多因素身份验证来使用控制台?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！