Ajouter policy-enforce-mfa.tf

2025-08-08 09:32:45 +02:00
parent f41de0d940
commit c2edc10e8c
1 changed files with 33 additions and 0 deletions
--- a/policy-enforce-mfa.tf
+++ b/policy-enforce-mfa.tf
@@ -0,0 +1,33 @@
+data "aws_iam_policy_document" "enforce_mfa" {
+  statement {
+    sid    = "DenyAllExceptListedIfNoMFA"
+    effect = "Deny"
+    not_actions = [
+      "iam:CreateVirtualMFADevice",
+      "iam:EnableMFADevice",
+      "iam:GetUser",
+      "iam:ListMFADevices",
+      "iam:ListVirtualMFADevices",
+      "iam:ResyncMFADevice",
+      "sts:GetSessionToken"
+    ]
+    resources = ["*"]
+    condition {
+      test     = "BoolIfExists"
+      variable = "aws:MultiFactorAuthPresent"
+      values   = ["false", ]
+    }
+  }
+}
+
+resource "aws_iam_policy" "enforce_mfa" {
+  name        = "enforce-to-use-mfa"
+  path        = "/"
+  description = "Policy to allow MFA management"
+  policy      = data.aws_iam_policy_document.enforce_mfa.json
+}
+
+resource "aws_iam_group_policy_attachment" "enforce_mfa" {
+  group      = aws_iam_group.administrators.name
+  policy_arn = aws_iam_policy.enforce_mfa.arn
+}