Skip to content

Non STS session explicitDeny overlaps with STS Allow #68

Open
Open
Non STS session explicitDeny overlaps with STS Allow#68
@anuragnandan

Description

@anuragnandan
anuragnandan
opened on Apr 17, 2024

I have Deny for all permissions if its not a STS session with MFA, except getSessionToken, listMFADevices, setMFADevice and few more.

{ "Sid": "DenyAllExceptListedIfNoMFA", "Effect": "Deny", "NotAction": [ "iam:CreateVirtualMFADevice", "iam:EnableMFADevice", "iam:GetUser", "iam:ListMFADevices", "iam:ListVirtualMFADevices", "iam:ResyncMFADevice", "sts:GetSessionToken" ], "Resource": "*", "Condition": { "BoolIfExists": { "aws:MultiFactorAuthPresent": "false" } } }
This checker said I have an explicitDeny on ecs:ExecuteCommand and ssm:StartSession even with a valid STS session and permission, because of explicitDeny without MFA Session. So, I had to add the two permissions to my list

{ "Sid": "DenyAllExceptListedIfNoMFA", "Effect": "Deny", "NotAction": [ "iam:CreateVirtualMFADevice", "iam:EnableMFADevice", "iam:GetUser", "iam:ListMFADevices", "iam:ListVirtualMFADevices", "iam:ResyncMFADevice", "sts:GetSessionToken", "ecs:ExecuteCommand", "ssm:StartSession" ], "Resource": "*", "Condition": { "BoolIfExists": { "aws:MultiFactorAuthPresent": "false" } } }

which means, I can execCommand on my cluster without a MFA STS session.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions