Frank shows you how to
protect your AWS S3 buckets
using an MFA device

frank_enforce_mfa_other_account_access_bucket

For additional security, I want to require users from other AWS accounts to use a multi-factor authentication (MFA) device to get access to my Amazon Simple Storage Service (Amazon S3) buckets. How can I do that?

Add MFA-related conditions to your bucket policy that require users from other AWS accounts to authenticate using an MFA device.

Before you begin, the users from other AWS accounts must meet the following requirements:

  • They must have permissions to access Amazon S3. For example, users meet this requirement if they have the AmazonS3FullAccess AWS Managed Policy included in their AWS Identity and Access Management (IAM) policies.
  • They must have an attached IAM policy that allows them to call GetSessionToken.
  • They must have an MFA device configured for use with their IAM identity.

Next, create a bucket policy that uses the aws:MultiFactorAuthPresent or aws:MultiFactorAuthAge conditions. These conditions determine whether the user has authenticated with an MFA device.

For example, assume that you want to deny a user from another account the permissions to execute s3:PutObject, s3:PutObjectAcl, or s3:DeleteObject actions unless they authenticate using an MFA device. You can write a bucket policy in two parts:

1.    The first part can explicitly deny those actions when the user doesn't authenticate using MFA (the condition "aws:MultiFactorAuthPresent": "false" is met), similar to the following:

{
    "Version": "2012-10-17",
    "Id": "Policy201612130001aa",
    "Statement": [
        {
            "Sid": "Stmt201612130001ab",
            "Effect": "Deny",
            "Principal": {
                "AWS": "arn:aws:iam::111122223333:root"
            },
            "Action": [
                "s3:PutObject",
                "s3:PutObjectAcl",
                "s3:DeleteObject"
            ],
            "Resource": "arn:aws:s3:::example.accounta.bucket/*",
            "Condition": {
                "BoolIfExists": {
                    "aws:MultiFactorAuthPresent": "false"
                }
            }
        },
...

2.    The second part of the policy can explicitly allow those actions when the user does authenticate using MFA (the condition "aws:MultiFactorAuthPresent": "false" is not met), similar to the following:

...
        {
            "Sid": "Stmt201612130001ac",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::111122223333:root"
            },
            "Action": [
                "s3:ListBucket",
                "s3:GetObject",
                "s3:PutObject",
                "s3:PutObjectAcl",
                "s3:DeleteObject"
            ],
            "Resource": [
                "arn:aws:s3:::example.accounta.bucket",
                "arn:aws:s3:::example.accounta.bucket/*"
            ]
        }
    ]
}

After you add a similar bucket policy to your bucket, users can run the get-session-token AWS Command Line Interface (AWS CLI) command to get the credentials required to access the resources in your bucket. This command requires the user to provide:

  • The temporary code generated by the MFA device
  • The device’s serial number for a hardware MFA device, or the Amazon Resource Name (ARN) for a software MFA device

Note: As another option for getting credentials, users can choose to export the temporary credentials as environment variables.


Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2016-1-27

Updated: 2018-10-25