gpt4 book ai didi

amazon-web-services - 如何强制 IAM 用户使用多重身份验证来使用控制台?

转载 作者:行者123 更新时间:2023-12-04 19:07:00 49 4
gpt4 key购买 nike

我想要求 IAM 用户在登录 AWS 控制台时使用 MFA。我知道可以为 API access 做到这一点,但不确定在登录控制台时是否可以实现相同的效果。

最佳答案

更新

您可以通过 IAM Policy 强制执行您的要求。基于 IAM condition指定 aws:MultiFactorAuthAge key ,如在 Configuring MFA-Protected API Access 内具有 MFA 条件的 IAM 策略部分所述- 您可以在两个级别执行此操作:

  • Existence — To simply verify that the user has been authenticated with MFA, check that the aws:MultiFactorAuthAge key is not null. (If the user has not been authenticated with MFA, this key doesn't exist and therefore is null.)
  • Duration — If you want to grant access only within a specified time after MFA authentication, use a numeric condition type to compare the key's age to a value (such as 3600 seconds).


因此,简单地测试 MFA 身份验证存在的所有 AWS 操作的通用 IAM 策略可能如下所示:

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*",
"Condition":
{
"Null":{"aws:MultiFactorAuthAge":"false"}
}
}
]
}

初步答复

这是“它可以正常工作”的情况,即对于 AWS Management Console 的 MFA 保护访问,无需采取任何措施。具体来说,在控制台依次使用 API 并相应地使用登录用户的 IAM 凭证调用每个 API 操作的情况下(一旦用户配置并启用了 MFA 设备,登录页面将需要自动输入 MFA token ) - 另见部分通过控制台使用受 MFA 保护的 API Configuring MFA-Protected API Access :

AWS evaluates MFA-protected API policies for actions in the console, such as terminating an Amazon EC2 instance. Set up the IAM user with an MFA device and enable an MFA-protected API policy. The user can then simply log into the console with MFA authentication and is subject to the policies for MFA-protected APIs. For users who already have an assigned MFA device, the console experience doesn't change (except for optional time limits on certain MFA-protected APIs that require more frequent re-authentication). For more information on setting up an IAM user with an MFA device, see Setting Up an MFA Device.

关于amazon-web-services - 如何强制 IAM 用户使用多重身份验证来使用控制台?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/21917197/

49 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com