Amazon EC2: Requires MFA (GetSessionToken) for specific EC2 operations

This example shows how you might create an identity-based policy that allows full access to all AWS API operations in Amazon EC2. However, it explicitly denies access to StopInstances and TerminateInstances API operations if the user is not authenticated using multi-factor authentication (MFA). To do this programmatically, the user must include optional SerialNumber and TokenCode values while calling the GetSessionToken operation. This operation returns temporary credentials that were authenticated using MFA. To learn more about GetSessionToken, see Requesting credentials for users in untrusted environments.

What does this policy do?

The AllowAllActionsForEC2 statement allows all Amazon EC2 actions.
The DenyStopAndTerminateWhenMFAIsNotPresent statement denies the StopInstances and TerminateInstances actions when the MFA context is missing. This means that the actions are denied when the multi-factor authentication context is missing (meaning MFA was not used). A deny overrides the allow.

Note

The condition check for MultiFactorAuthPresent in the Deny statement should not be a {"Bool":{"aws:MultiFactorAuthPresent":false}} because that key is not present and cannot be evaluated when MFA is not used. So instead, use the BoolIfExists check to see whether the key is present before checking the value. For more information, see ...IfExists condition operators.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

EC2: Start or stop an instance, modify security group (includes console)

EC2: Limit terminating instances to IP range