BoolIfExists for MFA — Just Say No | by Teri Radichel | Cloud Security | November 2023


ACM.360 A Better Policy to Require MFA for ALL Actions

Part of my series on Automation of cybersecurity measures. AWS Organizations. I AM. Deploy a static website. THE Coded.

Free content on Cybersecurity Jobs | Register at Broadcast list

In the last article I explained how I will group scripts by different administrative user types. Scripts will basically be grouped based on who is allowed to run them.

In this article, I want to review my admin role, my user templates, and user templates in general. The first user I created when creating my new AWS account was granted the AdministratorAccess policy.

Require MFA for any action taken by a user

After working on these various multi-account deployment efforts, I realized that I wanted to create a default administrator account in each new account, starting with the root administrator account.

I want some consistency in how these admins are deployed, so of course I’m going to use common templates for this purpose.

One of the things I want to do is create a policy that only allows the admin to perform actions with MFA, other than adding their MFA device to their own account.

Here’s the policy, but note my recommended changes below. I’m just adding this policy here in case AWS changes the original policy I’m writing about.

A problem with this policy – BoolIfExists

I have a problem with the code in this post – the BoolIfExists in politics.

I’ve written about this before, but the documentation that explains why this…

Leave a comment