Ajouter policy-enforce-mfa.tf
All checks were successful
Terraform Apply / Terraform Apply (push) Successful in 46s
All checks were successful
Terraform Apply / Terraform Apply (push) Successful in 46s
This commit is contained in:
33
policy-enforce-mfa.tf
Normal file
33
policy-enforce-mfa.tf
Normal file
@@ -0,0 +1,33 @@
|
|||||||
|
data "aws_iam_policy_document" "enforce_mfa" {
|
||||||
|
statement {
|
||||||
|
sid = "DenyAllExceptListedIfNoMFA"
|
||||||
|
effect = "Deny"
|
||||||
|
not_actions = [
|
||||||
|
"iam:CreateVirtualMFADevice",
|
||||||
|
"iam:EnableMFADevice",
|
||||||
|
"iam:GetUser",
|
||||||
|
"iam:ListMFADevices",
|
||||||
|
"iam:ListVirtualMFADevices",
|
||||||
|
"iam:ResyncMFADevice",
|
||||||
|
"sts:GetSessionToken"
|
||||||
|
]
|
||||||
|
resources = ["*"]
|
||||||
|
condition {
|
||||||
|
test = "BoolIfExists"
|
||||||
|
variable = "aws:MultiFactorAuthPresent"
|
||||||
|
values = ["false", ]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "aws_iam_policy" "enforce_mfa" {
|
||||||
|
name = "enforce-to-use-mfa"
|
||||||
|
path = "/"
|
||||||
|
description = "Policy to allow MFA management"
|
||||||
|
policy = data.aws_iam_policy_document.enforce_mfa.json
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "aws_iam_group_policy_attachment" "enforce_mfa" {
|
||||||
|
group = aws_iam_group.administrators.name
|
||||||
|
policy_arn = aws_iam_policy.enforce_mfa.arn
|
||||||
|
}
|
||||||
Reference in New Issue
Block a user