make deny optional. allow users to change passwords without mfa

Author: ivankatliarchuk

README.md

@@ -64,7 +64,6 @@ module enforce_mfa {
   policy_name                     = "managed-mfa-enforce"
   account_id                      = data.aws_caller_identity.current.id
   groups                          = [aws_iam_group.support.name]
-  manage_own_password_without_mfa = true
   manage_own_signing_certificates  = true
   manage_own_ssh_public_keys      = true
   manage_own_git_credentials      = true
@@ -96,9 +95,9 @@ module enforce_mfa {
 |------|-------------|------|---------|:--------:|
 | account\_id | Account identification. (Optional, default '\*') | `string` | `"*"` | no |
 | groups | Enforce MFA for the members in these groups. (Optional, default '[]') | `list(string)` | `[]` | no |
+| manage\_explicit\_deny | Manage explicit deny. | `bool` | `false` | no |
 | manage\_own\_access\_keys | Allow a new AWS secret access key and corresponding AWS access key ID for the specified user. | `bool` | `false` | no |
 | manage\_own\_git\_credentials | Allow managing git credentials. | `bool` | `false` | no |
-| manage\_own\_password\_without\_mfa | Whethehr password management without mfa is allowd | `bool` | `true` | no |
 | manage\_own\_signing\_certificates | Allow managing signing certificates. | `bool` | `false` | no |
 | manage\_own\_ssh\_public\_keys | Allow managing ssh public keys. | `bool` | `false` | no |
 | path | Path in which to create the policy. (Optional, default '/') | `string` | `"/"` | no |

data.tf

@@ -1,13 +1,27 @@
 data aws_iam_policy_document this {
+
+  statement {
+    sid    = "AllowBasicVisiiblityWithoutMfa"
+    effect = "Allow"
+    actions = [
+      "iam:ListUsers",
+      "iam:GetAccountSummary",
+      "iam:ListAccountAliases",
+      "iam:ListVirtualMFADevices",
+      "iam:GetAccountPasswordPolicy"
+    ]
+    resources = ["*", ]
+  }
+
   statement {
     sid    = "MFAPersonalCreate"
     effect = "Allow"
     actions = [
       "iam:CreateVirtualMFADevice",
+      "iam:DeleteVirtualMFADevice"
     ]
     resources = [
       "arn:aws:iam::${var.account_id}:mfa/&{aws:username}",
-      "arn:aws:iam::${var.account_id}:user/&{aws:username}",
     ]
   }
 
@@ -16,7 +30,6 @@ data aws_iam_policy_document this {
     effect = "Allow"
     actions = [
       "iam:DeleteVirtualMFADevice",
-      "iam:DeactivateMFADevice",
     ]
     resources = [
       "arn:aws:iam::${var.account_id}:mfa/&{aws:username}",
@@ -32,7 +45,6 @@ data aws_iam_policy_document this {
   statement {
     effect = "Allow"
     actions = [
-      "iam:EnableMFADevice",
       "iam:GetUser",
       "iam:ListGroupsForUser",
     ]
@@ -42,59 +54,75 @@ data aws_iam_policy_document this {
   }
 
   statement {
-    sid    = "AllowIndividualUserToManageTheirOwnMFA"
     effect = "Allow"
     actions = [
-      "iam:CreateVirtualMFADevice",
-      "iam:DeleteVirtualMFADevice",
-      "iam:EnableMFADevice",
-      "iam:ResyncMFADevice",
+      "iam:ListGroups",
     ]
     resources = [
-      "arn:aws:iam::${var.account_id}:user/&{aws:username}",
-      "arn:aws:iam::${var.account_id}:mfa/&{aws:username}",
+      "arn:aws:iam::${var.account_id}:group/",
     ]
   }
 
   statement {
     effect = "Allow"
     actions = [
-      "iam:ListGroups",
+      "iam:ListGroupPolicies",
+      "iam:ListAttachedGroupPolicies",
     ]
     resources = [
-      "arn:aws:iam::${var.account_id}:group/",
+      "arn:aws:iam::${var.account_id}:group/*",
     ]
   }
 
   statement {
+    sid    = "AllowToListOnlyOwnMFA"
     effect = "Allow"
     actions = [
-      "iam:ListGroupPolicies",
-      "iam:ListAttachedGroupPolicies",
+      "iam:ListMFADevices",
     ]
     resources = [
-      "arn:aws:iam::${var.account_id}:group/*",
+      "arn:aws:iam::*:mfa/*",
+      "arn:aws:iam::*:user/&{aws:username}"
     ]
+
   }
 
   statement {
+    sid    = "AllowManageOwnUserMFA"
     effect = "Allow"
     actions = [
       "iam:ChangePassword",
+      "iam:CreateLoginProfile",
       "iam:UpdateLoginProfile",
+      "iam:ListAccessKeys",
       "iam:UpdateUser",
       "iam:ListAttachedUserPolicies",
       "iam:ListSSHPublicKeys",
       "iam:ListAccessKeys",
       "iam:GetLoginProfile",
-      "iam:ListMFADevices",
-      "iam:ListVirtualMFADevices",
     ]
     resources = [
       "arn:aws:iam::${var.account_id}:user/&{aws:username}",
     ]
   }
 
+  statement {
+    sid    = "AllowUserToManageOwnMFA"
+    effect = "Allow"
+
+    actions = [
+      "iam:CreateVirtualMFADevice",
+      "iam:DeleteVirtualMFADevice",
+      "iam:EnableMFADevice",
+      "iam:ResyncMFADevice"
+    ]
+
+    resources = [
+      "arn:aws:iam::*:mfa/&{aws:username}",
+      "arn:aws:iam::*:user/&{aws:username}"
+    ]
+  }
+
   statement {
     sid    = "KeysAndCertificates"
     effect = "Allow"
@@ -108,25 +136,36 @@ data aws_iam_policy_document this {
     ]
   }
 
+  statement {
+    sid    = "AllowUserToDeactivateOnlyOwnMFAWhenUsingMFA"
+    effect = "Allow"
+    actions = [
+      "iam:DeactivateMFADevice"
+    ]
+    resources = [
+      "arn:aws:iam::*:mfa/&{aws:username}",
+      "arn:aws:iam::*:user/&{aws:username}"
+    ]
+    condition {
+      test     = "Bool"
+      variable = "aws:MultiFactorAuthPresent"
+      values   = ["true"]
+    }
+  }
+
   statement {
     sid    = "AllowBasicVisiiblityWhenLoggedInWithMFA"
     effect = "Allow"
     actions = [
-      "iam:GetAccountSummary",
-      "iam:ListAccountAliases",
-      "iam:GetAccountSummary",
       "iam:ListUserTags",
       "iam:ListGroupsForUser",
       "iam:ListPolicies",
-      "iam:ListUsers",
       "iam:GetGroup",
       "iam:GenerateServiceLastAccessedDetails",
       "iam:ListUserPolicies",
       "iam:GetUser",
       "iam:ListServiceSpecificCredentials",
       "iam:ListAttachedUserPolicies",
-      "iam:ListVirtualMFADevices",
-      "iam:ListMFADevices"
     ]
     resources = ["*", ]
     condition {
@@ -136,77 +175,6 @@ data aws_iam_policy_document this {
     }
   }
 
-  statement {
-    sid    = "BlockMostAccessUnlessSignedInWithMFA"
-    effect = "Deny"
-    not_actions = [
-      "iam:CreateVirtualMFADevice",
-      "iam:DeleteVirtualMFADevice",
-      "iam:ListVirtualMFADevices",
-      "iam:EnableMFADevice",
-      "iam:ResyncMFADevice",
-      "iam:ListAccountAliases",
-      "iam:ListUsers",
-      "iam:ListSSHPublicKeys",
-      "iam:ListAccessKeys",
-      "iam:ListServiceSpecificCredentials",
-      "iam:ListMFADevices",
-      "iam:GetAccountSummary",
-      "sts:GetSessionToken"
-    ]
-    resources = ["*"]
-    condition {
-      test     = "BoolIfExists"
-      variable = "aws:MultiFactorAuthPresent"
-      values   = ["false", ]
-    }
-  }
-
-  statement {
-    sid    = "BlockReadActionsUnlessSignedInWithMFA"
-    effect = "Deny"
-
-    actions = [
-      "iam:ListMFADevices",
-      "iam:ListVirtualMFADevices",
-      "iam:ListUsers",
-    ]
-
-    resources = [
-      "arn:aws:iam::${var.account_id}:user/",
-      "arn:aws:iam::${var.account_id}:user/&{aws:username}",
-      "arn:aws:iam::${var.account_id}:mfa/",
-      "arn:aws:iam::${var.account_id}:mfa/&{aws:username}",
-    ]
-
-    condition {
-      test     = "BoolIfExists"
-      variable = "aws:MultiFactorAuthPresent"
-      values   = ["false", ]
-    }
-  }
-
-  dynamic "statement" {
-    for_each = var.manage_own_password_without_mfa ? [] : [1]
-
-    content {
-      sid    = "ChangePasswordOnlyIfMFASet"
-      effect = "Deny"
-      actions = [
-        "iam:ChangePassword",
-        "iam:CreateLoginProfile",
-      ]
-      resources = [
-        "arn:aws:iam::${var.account_id}:user/&{aws:username}"
-      ]
-      condition {
-        test     = "BoolIfExists"
-        variable = "aws:MultiFactorAuthPresent"
-        values   = ["false", ]
-      }
-    }
-  }
-
   dynamic "statement" {
     for_each = var.manage_own_access_keys ? [1] : []
 
@@ -302,4 +270,30 @@ data aws_iam_policy_document this {
       }
     }
   }
+
+  # Deny
+
+  dynamic "statement" {
+    for_each = var.manage_explicit_deny ? [1] : []
+
+    content {
+      sid    = "DenyAllExceptListedIfNoMFA"
+      effect = "Deny"
+      actions = [
+        "iam:CreateVirtualMFADevice",
+        "iam:EnableMFADevice",
+        "iam:GetUser",
+        "iam:ListMFADevices",
+        "iam:ListVirtualMFADevices",
+        "iam:ResyncMFADevice",
+        "sts:GetSessionToken"
+      ]
+      resources = ["*"]
+      condition {
+        test     = "BoolIfExists"
+        variable = "aws:MultiFactorAuthPresent"
+        values   = ["false", ]
+      }
+    }
+  }
 }

variables.tf

@@ -10,12 +10,6 @@ variable "account_id" {
   type        = string
 }
 
-variable "manage_own_password_without_mfa" {
-  default     = true
-  description = "Whethehr password management without mfa is allowd"
-  type        = bool
-}
-
 variable "manage_own_access_keys" {
   default     = false
   description = "Allow a new AWS secret access key and corresponding AWS access key ID for the specified user."
@@ -40,6 +34,12 @@ variable "manage_own_git_credentials" {
   type        = bool
 }
 
+variable "manage_explicit_deny" {
+  default     = false
+  description = "Manage explicit deny."
+  type        = bool
+}
+
 
 variable "groups" {
   default     = []