Aws notes/MFA Delete Notes

From Federal Burro of Information
Jump to navigationJump to search

From AWS Support

Hello David,

Thank you for speaking with me today on the chat, it has been a pleasure working with you. As we discussed on the chat, we are putting this case on hold so that you can speak with your customer to find the best solution for what you are trying to accomplish with the MFA delete without giving access to your root account.

I copied the information from the chat to make it easier going forward to look back at.

The first one being that You would be managing the versioned items. This would require your team to routinely go through and clear out the deleted items and potentially offer a "premium" service for restorations.

The second one being that you could have the clients verify their MFA tokens so that they could do the deletes on their end. It is important to note though that your Storage costs could climb if the customers cycle data.

If your clients are good on the tech side, then they could properly execute versioned deletes using the MFA token values which would allow you to accomplish what you're wanting without granting them root access.

Enabling a Virtual Multi-factor Authentication (MFA) Device http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html

Below is a guide that you can use to allow deletes with MFA authentication. I didn't want to add it via the chat as it is a good amount of information to go through.

1) Let's start with the following bucket policy which uses two explicit Deny statements (one is a Conditional statement) to enforce that only the root user can perform the DeleteBucket operation, and also requires that they use MFA authentication [1]. Note: the root user in this example can be replaced with any IAM user or role, as long as that user/role has sufficient permission to perform s3:DeleteBucket in it's IAM policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "NotPrincipal": {
                "AWS": "arn:aws:iam::356876009414:root"
            },
            "Action": "s3:DeleteBucket",
            "Resource": "arn:aws:s3:::<bucketname>"
        },
        {
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:DeleteBucket",
            "Resource": "arn:aws:s3:::<bucketname>",
            "Condition": {
                "BoolIfExists": {
                    "aws:MultiFactorAuthPresent": false
                }
            }
        }
    ]
}

Note: It is recommended to use the BoolIfExists operation in conjunction with the "aws:MultiFactorAuthPresent" key when checking for MFA authentication. See https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html#AvailableKeys for more details.

2) Next, use the CLI [2] to call get-session-token with MFA authentication. In this example, my named profile 'root' has been configured with my root credentials. A named profile can be created by running 'aws configure --profile <username> ; in this case aws configure --profile root':

aws sts get-session-token --profile root --serial-number "arn:aws:iam::<AccountID>:mfa/root-account-mfa-device" --token-code ######

MFA can be enabled for any IAM user or the root user, as outlined here: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html

Token code is the temporary token returned from your MFA device. This command will return a set of temporary credentials. You will need to populate the following environment variables with these values, as outlined here, http://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html#cli-environment:

AWS_ACCESS_KEY_ID – AWS access key. AWS_SECRET_ACCESS_KEY – AWS secret key. Access and secret key variables override credentials stored in credential and config files. AWS_SESSION_TOKEN – session token. A session token is only required if you are using temporary security credentials.

For example:

$ export AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE
$ export AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
$ export AWS_SESSION_TOKEN="FQoDYXdzENr//////////wEaDM/jAjcRuwzBfnhI1CKsAZRF/mDD2/Lnsw6OLHsdbf7m/........="

3) Now that your root user has been authenticated with MFA, you should be able to successfully run the following command to delete the bucket (presuming the bucket is empty):

aws s3api delete-bucket --bucket <bucketname>

You don't specify a named profile here, because the CLI order of precedence will derive it's credentials from the environment variables you just populated [3].

An explicit Deny overrides all other Allows in IAM evaluation logic. No one will be able to delete the bucket except for the IAM user(s)/role(s) or Root user specified in the policy above, and they will also require MFA authentication.

[1] - http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html#Condition
[2] - * Docs for installing the CLI Tool: 
http://docs.aws.amazon.com/cli/latest/userguide/installing.html
http://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html
[3] - http://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html#config-settings-and-precedence

Please let me know if you have any additional questions on any of this and I will be more than happy to continue working with you on this.

Best regards,

Amazon Web Services