Amazon EC2: Requires MFA (GetSessionToken) for specific EC2 operations
This example shows how you might create an identity-based policy that allows full access to all AWS API operations in Amazon EC2. However,
it explicitly denies access to StopInstances and
TerminateInstances API operations if the user is not authenticated using
multi-factor authentication (MFA). To do this
programmatically, the user must include optional SerialNumber and
TokenCode values while calling the GetSessionToken operation.
This operation returns temporary credentials that were authenticated using MFA. To learn
more about GetSessionToken, see GetSessionToken—temporary credentials for users in untrusted
environments.
What does this policy do?
-
The
AllowAllActionsForEC2statement allows all Amazon EC2 actions. -
The
DenyStopAndTerminateWhenMFAIsNotPresentstatement denies theStopInstancesandTerminateInstancesactions when the MFA context is missing. This means that the actions are denied when the multi-factor authentication context is missing (meaning MFA was not used). A deny overrides the allow.
Note
The condition check for MultiFactorAuthPresent in the Deny
statement should not be a {"Bool":{"aws:MultiFactorAuthPresent":false}}
because that key is not present and cannot be evaluated when MFA is not used. So
instead, use the BoolIfExists check to see whether the key is present
before checking the value. For more information, see ...IfExists condition operators.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowAllActionsForEC2", "Effect": "Allow", "Action": "ec2:*", "Resource": "*" }, { "Sid": "DenyStopAndTerminateWhenMFAIsNotPresent", "Effect": "Deny", "Action": [ "ec2:StopInstances", "ec2:TerminateInstances" ], "Resource": "*", "Condition": { "BoolIfExists": {"aws:MultiFactorAuthPresent": false} } } ] }
