gpt4 book ai didi

amazon-web-services - AWS IAM 强制 MFA 但允许第一次更改密码

转载 作者:行者123 更新时间:2023-12-05 07:18:16 25 4
gpt4 key购买 nike

您如何强制 AWS IAM 用户使用 MFA,但允许他们在首次登录时更改密码?

如果你关注AWS Docs , 并强制MFA,新用户在首次获得帐户时无法更改密码。

我知道你可以 force MFAnot并允许用户管理自己的密码和凭据。此外,AWS 有办法解决此问题,但不推荐这样做:

This example policy does not allow users to reset a password while signing in. New users and users with an expired password might try to do so. You can allow this by adding iam:ChangePassword to the statement DenyAllExceptListedIfNoMFA. However, IAM does not recommend this. Allowing users to change their password without MFA can be a security risk.

那么“推荐”的方式是什么?

这个问题也是asked in AWS forum没有真正的答案。

最佳答案

这里推荐的路径是使用SSO / identity federation ,但我提出了一个手动的单一策略解决方案,如果您还没有 SSO,它可以让您更轻松地进行管理。我的解决方案仍然存在风险,但它的范围仅限于初始帐户设置过程。它涉及使用 NewUser 标签手动标记新 IAM 用户,然后在他们重置密码和配置 MFA 后手动取消标记。

以下指南假定您使用的是 the recommended policy from AWS to allow MFA-authenticated IAM users to manage their own credentials on the My Security Credentials page .

编辑您的 "Sid": "DenyAllExceptListedIfNoMFA" block 所在的 MFA 策略,并将其替换为以下内容:

{
"Sid": "DenyAllExceptListedIfNoMFAAndNewUser",
"Effect": "Deny",
"NotAction": [
"iam:CreateVirtualMFADevice",
"iam:EnableMFADevice",
"iam:GetUser",
"iam:ListMFADevices",
"iam:ListVirtualMFADevices",
"iam:ResyncMFADevice",
"sts:GetSessionToken",
"iam:ChangePassword"
],
"Resource": "*",
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "false"
}
}
},
{
"Sid": "DenyAllExceptListedIfNoMFA",
"Effect": "Deny",
"NotAction": [
"iam:CreateVirtualMFADevice",
"iam:EnableMFADevice",
"iam:GetUser",
"iam:ListMFADevices",
"iam:ListVirtualMFADevices",
"iam:ResyncMFADevice",
"sts:GetSessionToken"
],
"Resource": "*",
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "false"
},
"StringNotEqualsIfExists": {
"iam:ResourceTag/NewUser": "true"
}
}
}

创建一个新用户并添加一个 NewUser 标签,并将值设置为 trueAWS IAM console screenshot describing previous statement

将凭据发送给新用户。在他们首次登录后,从他们的 IAM 用户资源中删除 NewUser 标签。

可以看到an example of my full policy here .

关于amazon-web-services - AWS IAM 强制 MFA 但允许第一次更改密码,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/58419094/

25 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com