3.4.1.8. Managing Permissions to Control Access to Human & Machine Identities (MFA, STS, IAM Profiles)

3.4.1.8. Managing Permissions to Control Access to Human & Machine Identities

Managing who can manage identities is a meta-permission challenge. Without controls, any IAM administrator can create superuser roles.

Identity administration controls:

• Permissions boundaries (covered in 3.4.1.3): Limit what roles developers can create
• SCPs: Prevent creation of IAM users with console access, force MFA on all human identities
• IAM conditions for role creation:

{
  "Sid": "RestrictRoleCreation",
  "Effect": "Allow",
  "Action": "iam:CreateRole",
  "Resource": "arn:aws:iam::123456789012:role/app-*",
  "Condition": {
    "StringEquals": {
      "iam:PermissionsBoundary": "arn:aws:iam::123456789012:policy/AppBoundary"
    }
  }
}

MFA enforcement for sensitive operations:

{
  "Sid": "DenyWithoutMFA",
  "Effect": "Deny",
  "Action": ["iam:DeleteUser", "iam:DeactivateMFADevice", "iam:DetachUserPolicy"],
  "Resource": "*",
  "Condition": {
    "BoolIfExists": {"aws:MultiFactorAuthPresent": "false"}
  }
}

Machine identity best practices:

• Use IAM roles (temporary credentials) over IAM users (long-term keys) for all services
• EC2: instance profiles. Lambda: execution roles. ECS: task roles.
• Never embed credentials in code or environment variables — use Secrets Manager or Parameter Store

Exam Trap: aws:MultiFactorAuthPresent condition key is not present in requests made with long-term access keys (even if the user has MFA configured). It's only present in requests made via GetSessionToken with MFA. To enforce MFA for CLI users, require them to call sts:GetSessionToken with MFA first, then use the temporary credentials.