def mfa_store_policy()

in force_user_mfa/ForceUserMFA.py [0:0]

• 41 lines of code
• 2 McCabe index (conditional complexity)

def mfa_store_policy(user, region, account):
    # Let's try and attach the policy if it's created by the CFN template
    try:
        IAM_CLIENT.attach_user_policy(
            UserName=user,
            PolicyArn='arn:aws:iam::' + account + ':policy/user_mfa_access'
        )
    # If failed we need to create the policy and attach the new one
    except:
        KMS_CLIENT = boto3.client('kms')
        response = KMS_CLIENT.describe_key(
            KeyId='alias/MFAUser',
        )
        keyArn = response['KeyMetadata']['Arn']
        policy = {
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Effect": "Allow",
                    "Action": [
                        "ssm:GetParameters"
                    ],
                    "Resource": "arn:aws:ssm:" + region + ":" + account + ":parameter/mfa-${aws:username}"
                },
                {
                    "Effect": "Allow",
                    "Action": [
                        "kms:Decrypt"
                    ],
                    "Resource": keyArn
                }
            ]
        }
        response = IAM_CLIENT.create_policy(
            PolicyName='user_mfa_access',
            PolicyDocument=json.dumps(policy),
            Description='User policy for MFA token access'
        )
        IAM_CLIENT.attach_user_policy(
            UserName=user,
            PolicyArn='arn:aws:iam::' + account + ':policy/user_mfa_access'
        )
    return 0