AWS IAM policies that differentiate between console & access key access
Question: How can an AWS IAM policy be devised to differentiate between a console (web) and access key (API) access?
Use Case: Say, I want to allow the a certain group of users full IAM privileges via console(web), and read only IAM via access key (API).
The specific use case is that I trust some AWS users with full IAM privileges, as they have 2fa for console access. They dont practice 2fa for access key access, and it is significantly easier to misuse. Yet they still need some (read) access key (API) access, as they employ auditing tools and often use CLI.
Progress: The condition component in an AWS IAM policy looks promising, i've been able to use it effectively to enforce the use of IAM;
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "false"
}
}
But I could not find any relevant conditions which AWS support to account for differentiating between console and access key access.
