Add tutorial to access S3 by assuming role with MFA requirement.

Author: dkocher

protocols/s3/index.md

@@ -231,6 +231,12 @@ You might be interested in scripts maintained by third parties to facilitate man
 
 - [Utilities for easy management of AWS MFA and role sessions and virtual MFA devices](https://github.com/vwal/awscli-mfa)
 
+:::{admonition} Tutorial
+:class: tip
+
+Follow the [step-by-step instructions](../../tutorials/s3_iam_role_mfa.md) to require MFA by assuming a role to access S3.
+:::
+
 #### AWS IAM Identity Center
 
 For a SSO connection authenticating with AWS IAM Identity Center (Successor to AWS Single Sign-On), the properties

tutorials/_images/S3_MFA_Prompt.png

@@ -6,6 +6,7 @@ Tutorials
 :titlesonly:
 hidden_properties
 custom_oauth_client_id
+s3_iam_role_mfa
 iam
 vault_localdisk
 sftp_publickeyauth

tutorials/index.md

@@ -0,0 +1,115 @@
+Configure a user in AWS IAM that is required to use MFA to connect to S3
+====
+
+> You want an IAM user who cannot directly access S3, but instead must assume a role (with MFA required) to access S3 buckets in the same AWS account. Create a configuration for AWS CLI that is supported in Cyberduck and Mountain Duck using the [S3 (Credentials from AWS Command Line Interface) connection profile](../protocols/s3/index.md#connecting-using-credentials-from-aws-command-line-interface).
+
+### Create a user with both access keys and a MFA device configured
+
+1. In AWS [IAM console](https://console.aws.amazon.com/iam/) create a new user. Do *not* grant this user any permissions for S3.
+2. In the _Security credentials_ tab, choose _Create access key_. Copy the Access Key ID and Secret Access Key to a profile in `~/.aws/credentials`
+
+    ```
+    [<S3_USER>]
+    aws_access_key_id=AKIA…
+    aws_secret_access_key=…
+    ```
+
+3. Assign a MFA device to the user in _Multi-factor authentication (MFA)_. Reference the MFA ARN as the value for the `mfa_serial` parameter in the `<S3-ROLE-NAME>` profile in `~/.aws/credentials`.
+
+    :::{tip}
+    To allow entering the code in Cyberduck or Mountain Duck when connecting, make sure to choose _Authenticator app_ or _Hardware TOTP token_ as a MFA device. Using Passkey MFA does not allow getting a numeric MFA code.
+    :::
+
+4. Copy the MFA ARN and reference it in `mfa_serial` in the `<S3-ROLE-NAME>` profile in `~/.aws/credentials`
+
+    ```
+    [<S3-ROLE-NAME>]
+    source_profile=<S3_USER>
+    role_arn=arn:aws:iam::<Account ID>:role/<S3-ROLE-NAME>
+    mfa_serial=arn:aws:iam::<Account ID>:mfa/<MFA-DEVICE-NAME>
+    ```
+
+### Create IAM role allowing access to S3 enforcing the MFA requirement
+
+1. In AWS [IAM console](https://console.aws.amazon.com/iam/) create a new IAM role that has S3 permissions and requires MFA. The IAM role must have the trusted entity set to the previously created user's ARN.
+
+    ```
+    {
+        "Version": "2012-10-17",
+        "Statement": [
+            {
+                "Effect": "Allow",
+                "Principal": {
+                    "AWS": "arn:aws:iam::<ACCOUNT_ID>:user/<S3_USER>"
+                },
+                "Action": "sts:AssumeRole",
+                "Condition": {
+                    "Bool": { "aws:MultiFactorAuthPresent": "true" }
+                }
+            }
+        ]
+    }
+    ```
+
+2. Copy the Role ARN and reference it in `role_arn` in the `<S3-ROLE-NAME>` profile in `~/.aws/credentials`
+    ```
+    [<S3-ROLE-NAME>]
+    source_profile=<S3_USER>
+    role_arn=arn:aws:iam::<Account ID>:role/<S3-ROLE-NAME>
+    mfa_serial=arn:aws:iam::<Account ID>:mfa/<MFA-DEVICE-NAME>
+    ```
+    This will require the user to enter a MFA code when assuming a role with a S3 access policy attached when connecting.
+
+3. Attach a permission policy to the role that grants access to S3, such as:
+
+    ```
+    {
+        "Version": "2012-10-17",
+        "Statement": [
+            {
+                "Effect": "Allow",
+                "Action": [
+                    "s3:*"
+                ],
+                "Resource": "*"
+            }
+        ]
+    }
+    ```
+   
+    Restrict the permissions as necessary.
+
+### Add inline policy to allow the user to assume the role with `sts:AssumeRole`
+
+1. Navigate to the previously added IAM user to attach the `sts:AssumeRole` permission as an inline policy.
+2. Add a permission policy for the user by choosing _Add permissions → Create inline policy_ in the _Permissions_ tab. In the policy editor opened, add the action `sts:AssumeRole` for the resource ARN referencing the IAM role `<S3-ROLE-NAME>` created previously allowing access to S3 with MFA.
+
+    ```
+    {
+       "Version": "2012-10-17",
+       "Statement": [
+       {
+          "Effect": "Allow",
+          "Action": "sts:AssumeRole",
+          "Resource": "arn:aws:iam::<Account ID>:role/S3-ROLE-NAME"
+        }
+        ]
+    }
+    ```
+
+
+### Create a bookmark in Cyberduck or Mountain Duck
+
+1. Add a new [Bookmark](../cyberduck/bookmarks.md) in Cyberduck or Mountain Duck.
+2. Choose *S3 (Credentials from AWS Command Line Interface) profile* in the protocol dropdown. If the [connection profile](../protocols/profiles/index.md) is not available, enable it by choosing _More Options…_.
+3. Enter the alias <S3-ROLE-NAME> for the role configuration from your AWS CLI configuration in _Server_.
+4. When connecting enter the MFA code from your device when prompted.
+
+   :::{image} _images/S3_MFA_Prompt.png
+   :alt: MFA Prompt
+   :width: 400px
+   :::
+
+
+## References
+