create mfa enforcement policy and add it to existing groups (#128)

Author: gmgonzal

terraform/aws-custom-policies.tf

@@ -4,6 +4,10 @@ module "aws_custom_policies" {
     "IAMServicesSupervisor" = {
       description = "Policy granting IAM services admins permissions to make changes to user accounts"
       filename    = "level-4-iam-services-supervisor-policy.json"
+    },
+    "EnforceMFAForUsers" = {
+      description = "Policy enforcing MFA for devops security users"
+      filename    = "enforce-mfa-for-users-policy.json"
     }
   }
 }

terraform/aws-custom-policies/enforce-mfa-for-users-policy.json

@@ -0,0 +1,25 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+      {
+          "Sid": "EnforceMFAForUsers",
+          "Effect": "Deny",
+          "NotAction": [
+              "iam:CreateVirtualMFADevice",
+              "iam:EnableMFADevice",
+              "iam:GetUser",
+              "iam:GetMFADevice",
+              "iam:ListMFADevices",
+              "iam:ListVirtualMFADevices",
+              "iam:ResyncMFADevice",
+              "sts:GetSessionToken"
+          ],
+          "Resource": "*",
+          "Condition": {
+              "BoolIfExists": {
+                  "aws:MultiFactorAuthPresent": "false"
+              }
+          }
+      }
+  ]
+}

terraform/aws-groups.tf

@@ -5,7 +5,8 @@ module "iam_read_only_group" {
   group_name = "read-only-group"
   policy_arn = {
     "ReadOnlyAccess"        = "arn:aws:iam::aws:policy/ReadOnlyAccess",
-    "IAMUserChangePassword" = "arn:aws:iam::aws:policy/IAMUserChangePassword"
+    "IAMUserChangePassword" = "arn:aws:iam::aws:policy/IAMUserChangePassword",
+    "EnforceMFAForUsers"    = module.aws_custom_policies.policy_arns["EnforceMFAForUsers"]
   }
 }
 
@@ -15,7 +16,8 @@ module "iam_services_supervisor_group" {
 
   group_name = "iam-services-supervisor-group"
   policy_arn = {
-    "IAMServicesSupervisor" = module.aws_custom_policies.policy_arns["IAMServicesSupervisor"]
+    "IAMServicesSupervisor" = module.aws_custom_policies.policy_arns["IAMServicesSupervisor"],
+    "EnforceMFAForUsers"    = module.aws_custom_policies.policy_arns["EnforceMFAForUsers"]
   }
 }