Merge pull request #21 from RealityShift/feature-forceMfa

README.md

@@ -1,4 +1,4 @@
-# IAM Roles for Startups 
+# IAM Roles for Startups
 
 
 
@@ -14,20 +14,20 @@ This project focuses on creating a skeleton of IAM roles for startups, with the
 
 Follow Us On [![alt text][2.1]][2]
 
-[2.1]: http://i.imgur.com/P3YfQoD.png 
+[2.1]: http://i.imgur.com/P3YfQoD.png
 [2]: http://www.facebook.com/SingaporeTechEntrepreneurs/
 
 ## Role of Security
 
-In this project, we try to place security above everything. We are trying to avoid accidental deletions. We are assuming that every team member will log in from known IPs. As an added layer of security, we are making MFA mandatory for every user that logs in, even admins.
+In this project, we try to place security above everything. We are trying to avoid accidental deletions. We are assuming that every team member will log in from known IPs. As an added layer of security, we are making MFA mandatory for every user that logs in, even admins. To add the mandatory MFA, there is a policy called ```forceMfa.json``` that will need to be created and added to a group called ```FORCE_MFA```. Each IAM user to be created, will need to be a part of the ```FORCE_MFA``` group. This policy will deny IAM user's access to AWS resources until they add their MFA and use it to authenticate.
 
 ## Assumptions
 
 We are working with the following assumptions:
 
 Presence of generic job roles.
 In case an employee is wearing multiple hats, make sure you update accordingly. We have tried to block certain destructive actions like bucket deletion, accidental terminations for users who are not AWS admin like frontend and backend engineers.
-Use of blacklist instead of whitelist to keep the roles tidy. 
+Use of blacklist instead of whitelist to keep the roles tidy.
 
 ## Job Profiles
 
@@ -49,8 +49,8 @@ Create groups based on job profiles and attach policy documents from this projec
 - Submit a pull request :D
 
 
-## Contributors 
+## Contributors
 
 - Padmakar Ojha @dvopsway
-- Michael Amurjuev @LawTech Enthusiast 
+- Michael Amurjuev @LawTech Enthusiast
 - Kj Venky @kjvenky

large/forceMfa.json

@@ -0,0 +1,97 @@
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Action": "sts:AssumeRole",
+            "Resource": "*",
+            "Effect": "Allow",
+            "Sid": "AllowAllUsersToAssumeRole"
+        },
+        {
+            "Action": [
+                "iam:ListAccountAliases",
+                "iam:ListUsers",
+                "iam:GetAccountSummary"
+            ],
+            "Resource": "*",
+            "Effect": "Allow",
+            "Sid": "AllowAllUsersToListAccounts"
+        },
+        {
+            "Action": [
+                "iam:ChangePassword",
+                "iam:CreateAccessKey",
+                "iam:CreateLoginProfile",
+                "iam:DeleteAccessKey",
+                "iam:DeleteLoginProfile",
+                "iam:GetAccountPasswordPolicy",
+                "iam:GetLoginProfile",
+                "iam:ListAccessKeys",
+                "iam:UpdateAccessKey",
+                "iam:UpdateLoginProfile",
+                "iam:ListSigningCertificates",
+                "iam:DeleteSigningCertificate",
+                "iam:UpdateSigningCertificate",
+                "iam:UploadSigningCertificate",
+                "iam:ListSSHPublicKeys",
+                "iam:GetSSHPublicKey",
+                "iam:DeleteSSHPublicKey",
+                "iam:UpdateSSHPublicKey",
+                "iam:UploadSSHPublicKey"
+            ],
+            "Resource": "arn:aws:iam::962749322167:user/${aws:username}",
+            "Effect": "Allow",
+            "Sid": "AllowIndividualUserToSeeAndManageTheirOwnAccountInformation"
+        },
+        {
+            "Action": [
+                "iam:ListVirtualMFADevices",
+                "iam:ListMFADevices"
+            ],
+            "Resource": [
+                "arn:aws:iam::962749322167:mfa/*",
+                "arn:aws:iam::962749322167:user/${aws:username}"
+            ],
+            "Effect": "Allow",
+            "Sid": "AllowIndividualUserToListTheirOwnMFA"
+        },
+        {
+            "Action": [
+                "iam:CreateVirtualMFADevice",
+                "iam:DeactivateMFADevice",
+                "iam:DeleteVirtualMFADevice",
+                "iam:RequestSmsMfaRegistration",
+                "iam:FinalizeSmsMfaRegistration",
+                "iam:EnableMFADevice",
+                "iam:ResyncMFADevice"
+            ],
+            "Resource": [
+                "arn:aws:iam::962749322167:mfa/${aws:username}",
+                "arn:aws:iam::962749322167:user/${aws:username}"
+            ],
+            "Effect": "Allow",
+            "Sid": "AllowIndividualUserToManageTheirOwnMFA"
+        },
+        {
+            "Condition": {
+                "BoolIfExists": {
+                    "aws:MultiFactorAuthPresent": "false"
+                }
+            },
+            "Resource": "*",
+            "Effect": "Deny",
+            "NotAction": [
+                "iam:*",
+                "sts:AssumeRole",
+                "codecommit:*",
+                "kms:Encrypt",
+                "kms:Decrypt",
+                "kms:ReEncrypt",
+                "kms:GenerateDataKey",
+                "kms:GenerateDataKeyWithoutPlaintext",
+                "kms:DescribeKey"
+            ],
+            "Sid": "BlockAnyAccessOtherThanAboveUnlessSignedInWithMFA"
+        }
+    ]
+}

midsize/forceMfa.json

@@ -0,0 +1,97 @@
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Action": "sts:AssumeRole",
+            "Resource": "*",
+            "Effect": "Allow",
+            "Sid": "AllowAllUsersToAssumeRole"
+        },
+        {
+            "Action": [
+                "iam:ListAccountAliases",
+                "iam:ListUsers",
+                "iam:GetAccountSummary"
+            ],
+            "Resource": "*",
+            "Effect": "Allow",
+            "Sid": "AllowAllUsersToListAccounts"
+        },
+        {
+            "Action": [
+                "iam:ChangePassword",
+                "iam:CreateAccessKey",
+                "iam:CreateLoginProfile",
+                "iam:DeleteAccessKey",
+                "iam:DeleteLoginProfile",
+                "iam:GetAccountPasswordPolicy",
+                "iam:GetLoginProfile",
+                "iam:ListAccessKeys",
+                "iam:UpdateAccessKey",
+                "iam:UpdateLoginProfile",
+                "iam:ListSigningCertificates",
+                "iam:DeleteSigningCertificate",
+                "iam:UpdateSigningCertificate",
+                "iam:UploadSigningCertificate",
+                "iam:ListSSHPublicKeys",
+                "iam:GetSSHPublicKey",
+                "iam:DeleteSSHPublicKey",
+                "iam:UpdateSSHPublicKey",
+                "iam:UploadSSHPublicKey"
+            ],
+            "Resource": "arn:aws:iam::962749322167:user/${aws:username}",
+            "Effect": "Allow",
+            "Sid": "AllowIndividualUserToSeeAndManageTheirOwnAccountInformation"
+        },
+        {
+            "Action": [
+                "iam:ListVirtualMFADevices",
+                "iam:ListMFADevices"
+            ],
+            "Resource": [
+                "arn:aws:iam::962749322167:mfa/*",
+                "arn:aws:iam::962749322167:user/${aws:username}"
+            ],
+            "Effect": "Allow",
+            "Sid": "AllowIndividualUserToListTheirOwnMFA"
+        },
+        {
+            "Action": [
+                "iam:CreateVirtualMFADevice",
+                "iam:DeactivateMFADevice",
+                "iam:DeleteVirtualMFADevice",
+                "iam:RequestSmsMfaRegistration",
+                "iam:FinalizeSmsMfaRegistration",
+                "iam:EnableMFADevice",
+                "iam:ResyncMFADevice"
+            ],
+            "Resource": [
+                "arn:aws:iam::962749322167:mfa/${aws:username}",
+                "arn:aws:iam::962749322167:user/${aws:username}"
+            ],
+            "Effect": "Allow",
+            "Sid": "AllowIndividualUserToManageTheirOwnMFA"
+        },
+        {
+            "Condition": {
+                "BoolIfExists": {
+                    "aws:MultiFactorAuthPresent": "false"
+                }
+            },
+            "Resource": "*",
+            "Effect": "Deny",
+            "NotAction": [
+                "iam:*",
+                "sts:AssumeRole",
+                "codecommit:*",
+                "kms:Encrypt",
+                "kms:Decrypt",
+                "kms:ReEncrypt",
+                "kms:GenerateDataKey",
+                "kms:GenerateDataKeyWithoutPlaintext",
+                "kms:DescribeKey"
+            ],
+            "Sid": "BlockAnyAccessOtherThanAboveUnlessSignedInWithMFA"
+        }
+    ]
+}

small/forceMfa.json

@@ -0,0 +1,97 @@
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Action": "sts:AssumeRole",
+            "Resource": "*",
+            "Effect": "Allow",
+            "Sid": "AllowAllUsersToAssumeRole"
+        },
+        {
+            "Action": [
+                "iam:ListAccountAliases",
+                "iam:ListUsers",
+                "iam:GetAccountSummary"
+            ],
+            "Resource": "*",
+            "Effect": "Allow",
+            "Sid": "AllowAllUsersToListAccounts"
+        },
+        {
+            "Action": [
+                "iam:ChangePassword",
+                "iam:CreateAccessKey",
+                "iam:CreateLoginProfile",
+                "iam:DeleteAccessKey",
+                "iam:DeleteLoginProfile",
+                "iam:GetAccountPasswordPolicy",
+                "iam:GetLoginProfile",
+                "iam:ListAccessKeys",
+                "iam:UpdateAccessKey",
+                "iam:UpdateLoginProfile",
+                "iam:ListSigningCertificates",
+                "iam:DeleteSigningCertificate",
+                "iam:UpdateSigningCertificate",
+                "iam:UploadSigningCertificate",
+                "iam:ListSSHPublicKeys",
+                "iam:GetSSHPublicKey",
+                "iam:DeleteSSHPublicKey",
+                "iam:UpdateSSHPublicKey",
+                "iam:UploadSSHPublicKey"
+            ],
+            "Resource": "arn:aws:iam::962749322167:user/${aws:username}",
+            "Effect": "Allow",
+            "Sid": "AllowIndividualUserToSeeAndManageTheirOwnAccountInformation"
+        },
+        {
+            "Action": [
+                "iam:ListVirtualMFADevices",
+                "iam:ListMFADevices"
+            ],
+            "Resource": [
+                "arn:aws:iam::962749322167:mfa/*",
+                "arn:aws:iam::962749322167:user/${aws:username}"
+            ],
+            "Effect": "Allow",
+            "Sid": "AllowIndividualUserToListTheirOwnMFA"
+        },
+        {
+            "Action": [
+                "iam:CreateVirtualMFADevice",
+                "iam:DeactivateMFADevice",
+                "iam:DeleteVirtualMFADevice",
+                "iam:RequestSmsMfaRegistration",
+                "iam:FinalizeSmsMfaRegistration",
+                "iam:EnableMFADevice",
+                "iam:ResyncMFADevice"
+            ],
+            "Resource": [
+                "arn:aws:iam::962749322167:mfa/${aws:username}",
+                "arn:aws:iam::962749322167:user/${aws:username}"
+            ],
+            "Effect": "Allow",
+            "Sid": "AllowIndividualUserToManageTheirOwnMFA"
+        },
+        {
+            "Condition": {
+                "BoolIfExists": {
+                    "aws:MultiFactorAuthPresent": "false"
+                }
+            },
+            "Resource": "*",
+            "Effect": "Deny",
+            "NotAction": [
+                "iam:*",
+                "sts:AssumeRole",
+                "codecommit:*",
+                "kms:Encrypt",
+                "kms:Decrypt",
+                "kms:ReEncrypt",
+                "kms:GenerateDataKey",
+                "kms:GenerateDataKeyWithoutPlaintext",
+                "kms:DescribeKey"
+            ],
+            "Sid": "BlockAnyAccessOtherThanAboveUnlessSignedInWithMFA"
+        }
+    ]
+}