From adca44aa384ed9526ccc6bf152944d6ce062214d Mon Sep 17 00:00:00 2001
From: Max Gonzalez <gmgonzal@users.noreply.github.com>
Date: Wed, 13 Aug 2025 17:12:56 -0700
Subject: [PATCH] create mfa enforcement policy and add it to existing groups

---
 terraform/aws-custom-policies.tf              |  4 +++
 .../enforce-mfa-for-users-policy.json         | 25 +++++++++++++++++++
 terraform/aws-groups.tf                       |  6 +++--
 3 files changed, 33 insertions(+), 2 deletions(-)
 create mode 100644 terraform/aws-custom-policies/enforce-mfa-for-users-policy.json

diff --git a/terraform/aws-custom-policies.tf b/terraform/aws-custom-policies.tf
index c06a913..31edcc1 100644
--- a/terraform/aws-custom-policies.tf
+++ b/terraform/aws-custom-policies.tf
@@ -4,6 +4,10 @@ module "aws_custom_policies" {
     "IAMServicesSupervisor" = {
       description = "Policy granting IAM services admins permissions to make changes to user accounts"
       filename    = "level-4-iam-services-supervisor-policy.json"
+    },
+    "EnforceMFAForUsers" = {
+      description = "Policy enforcing MFA for devops security users"
+      filename    = "enforce-mfa-for-users-policy.json"
     }
   }
 }
diff --git a/terraform/aws-custom-policies/enforce-mfa-for-users-policy.json b/terraform/aws-custom-policies/enforce-mfa-for-users-policy.json
new file mode 100644
index 0000000..4167bdf
--- /dev/null
+++ b/terraform/aws-custom-policies/enforce-mfa-for-users-policy.json
@@ -0,0 +1,25 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+      {
+          "Sid": "EnforceMFAForUsers",
+          "Effect": "Deny",
+          "NotAction": [
+              "iam:CreateVirtualMFADevice",
+              "iam:EnableMFADevice",
+              "iam:GetUser",
+              "iam:GetMFADevice",
+              "iam:ListMFADevices",
+              "iam:ListVirtualMFADevices",
+              "iam:ResyncMFADevice",
+              "sts:GetSessionToken"
+          ],
+          "Resource": "*",
+          "Condition": {
+              "BoolIfExists": {
+                  "aws:MultiFactorAuthPresent": "false"
+              }
+          }
+      }
+  ]
+}
\ No newline at end of file
diff --git a/terraform/aws-groups.tf b/terraform/aws-groups.tf
index 42a44e5..778ec85 100644
--- a/terraform/aws-groups.tf
+++ b/terraform/aws-groups.tf
@@ -5,7 +5,8 @@ module "iam_read_only_group" {
   group_name = "read-only-group"
   policy_arn = {
     "ReadOnlyAccess"        = "arn:aws:iam::aws:policy/ReadOnlyAccess",
-    "IAMUserChangePassword" = "arn:aws:iam::aws:policy/IAMUserChangePassword"
+    "IAMUserChangePassword" = "arn:aws:iam::aws:policy/IAMUserChangePassword",
+    "EnforceMFAForUsers"    = module.aws_custom_policies.policy_arns["EnforceMFAForUsers"]
   }
 }
 
@@ -15,7 +16,8 @@ module "iam_services_supervisor_group" {
 
   group_name = "iam-services-supervisor-group"
   policy_arn = {
-    "IAMServicesSupervisor" = module.aws_custom_policies.policy_arns["IAMServicesSupervisor"]
+    "IAMServicesSupervisor" = module.aws_custom_policies.policy_arns["IAMServicesSupervisor"],
+    "EnforceMFAForUsers"    = module.aws_custom_policies.policy_arns["EnforceMFAForUsers"]
   }
 }