Frank shows you how to
protect your AWS S3 buckets
using an MFA device

frank_enforce_mfa_other_account_access_bucket

For additional security, I want to make sure that users who access my Amazon S3 buckets from other AWS account are authenticating using a multi-factor authentication (MFA) device. How do I do that?

You can require that an IAM user from another AWS account accessing an S3 bucket on your account authenticates using a multi-factor authentication (MFA) device by adding MFA-related conditions to your S3 bucket policy.

Before you begin, ensure the following things are true of the cross-account IAM user:

  • They have permissions to access S3 (for example, have the AmazonS3FullAccess AWS Managed Policy attached to them).
  • They have an attached IAM policy that grants them permissions to call GetSessionToken.
  • They have configured an MFA device for use with their IAM identity.

Next, associate a bucket policy with the S3 bucket that makes use of the aws:MultiFactorAuthPresent or aws:MultiFactorAuthAge keys, which will help determine whether the user has authenticated with an MFA device.

For example, assume that you wanted to deny a user from another account the ability to perform the s3:PutObject, s3:PutObjectAcl, or s3:DeleteObject functions unless they were authenticated using an MFA device. You could write an S3 bucket policy in two parts—the first part explicitly denies those permissions, but if aws:MultiFactorAuthPresent condition is false, the explicit denials are nullified, similar to the following:

{
    "Version": "2012-10-17",
    "Id": "Policy201612130001aa",
    "Statement": [
        {
            "Sid": "Stmt201612130001ab",
            "Effect": "Deny",
            "Principal": {
                "AWS": "arn:aws:iam::111122223333:root"
            },
            "Action": [
                "s3:PutObject",
                "s3:PutObjectAcl",
                "s3:DeleteObject"
            ],
            "Resource": "arn:aws:s3:::example.accounta.bucket/*",
            "Condition": {
                "BoolIfExists": {
                    "aws:MultiFactorAuthPresent": "false"
                }
            }
        },
...

In the second part of the policy, you could explicitly allow those permissions, which take effect if and only if the IAM user authenticated using an MFA device:

...
        {
            "Sid": "Stmt201612130001ac",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::111122223333:root"
            },
            "Action": [
                "s3:ListBucket",
                "s3:GetObject",
                "s3:PutObject",
                "s3:PutObjectAcl",
                "s3:DeleteObject"
            ],
            "Resource": [
                "arn:aws:s3:::example.accounta.bucket",
                "arn:aws:s3:::example.accounta.bucket/*"
            ]
        }
    ]
}

When the IAM user wants to access the resources in your S3 bucket, they’ll now need to use the get-session-token AWS CLI command first, and supply a temporary code generated by the device, along with the device’s serial number for a hardware MFA device or Amazon Resource Name (ARN) for a software MFA device. For ease of use, the IAM user can optionally export the temporary credentials as environment variables.


Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2016-1-27