Closed wallabyies closed 2 years ago
kapilt
commented
4 years ago for simple expressions on just wanting to assert mfa, you can achieve this today by using a value filter, you'll have to play around with the jmespath expression, just throwing out a sketch.
type: value
key: 'AssumeRolePolicyDocument.Statement[].Condition.Bool."aws:multiFactoryAuthPresent"'
op: in
value_type: swap
value: "true"
wallabyies
commented
4 years ago Thank you @kapilt! That helped immensely. I made a few tweaks, and confirmed the filter below works:
- type: value
key: 'AssumeRolePolicyDocument.Statement[].Condition.Bool."aws:MultiFactorAuthPresent"'
op: in
value_type: swap
value: "true"As a policy action, would it be possible to add this key/value to a role?
kapilt
commented
4 years ago it would need a contribution/code change, to an existing statement or to a new statement?
Is your feature request related to a problem? Please describe. I would like to be able to identify roles that have MFA enabled.
Describe the solution you'd like A filter in Custodian.
Describe alternatives you've considered I have attempted to create a value and boolean filter without success. I'm not sure if it's not supported or a problem with my filter.
Additional context Setting a role to MFA can be done in the IAM console. Go into the role > Trust Relationships, and set this value in the policy document:
"Action": "sts:AssumeRole", "Condition": { "Bool": { "aws:MultiFactorAuthPresent": "true" }
Here is a snippet from resources.json when filtering on the role name. This is what resources.json looks like when a role requires MFA.
{ "Description": "My Description, "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Condition": { "Bool": { "aws:MultiFactorAuthPresent": "true" } }, "Principal": { "AWS": "arn:aws:iam::11111111111:root" } } ] },