stackoom
  简体   繁体   中英

I am trying to set-up MFA for an AWS user in the organization

 原文  2017-09-25 19:21:06       amazon-web-services/ amazon-iam/ policy

Question

       {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1506369084151",
      "Action": [
        "iam:CreateVirtualMFADevice",
        "iam:EnableMFADevice",
        "iam:ListMFADevices",
        "iam:ResyncMFADevice"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:iam::account_#:user/user_name"
    }
  ]
}

I have this above policy which should enable users to set-up MFA by themselves. However, when I test this policy (by logging in as one of the users, I am not able to perform the desired action)

What am I missing in the policy snippet?

PS: The policy is attached to the user I try to log-in as. So this silly mistake is ruled out.

1 answers

solution1
 2 ACCPTED  2017-09-25 21:58:11

This works for me: 

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowEnableResyncDeleteListMFA",
      "Effect": "Allow",
      "Action": [
        "iam:CreateVirtualMFADevice",
        "iam:EnableMFADevice",
        "iam:ResyncMFADevice",
        "iam:DeleteVirtualMFADevice"
      ],
      "Resource": [
        "arn:aws:iam::AWS_ACCOUNT_ID:mfa/${aws:username}",
        "arn:aws:iam::AWS_ACCOUNT_ID:user/${aws:username}"
      ]
    },
    {
      "Sid": "AllowDeactivateMFA",
      "Effect": "Allow",
      "Action": [
        "iam:DeactivateMFADevice"
      ],
      "Resource": [
        "arn:aws:iam::AWS_ACCOUNT_ID:mfa/${aws:username}",
        "arn:aws:iam::AWS_ACCOUNT_ID:user/${aws:username}"
      ],
      "Condition": {
        "Bool": {
          "aws:MultiFactorAuthPresent": true
        }
      }
    },
    {
      "Effect": "Allow",
      "Action": [
        "iam:ListMFADevices",
        "iam:ListVirtualMFADevices",
        "iam:ListUsers"
      ],
      "Resource": "*"
    }
  ]
}

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Health check failed in dynamic port set-up in AWS ECS I am trying to set up a Contact Us form in my React App using AWS SES, but error that "CredentialsError: Missing credentials in config" AWS Cognito - reset user MFA I am getting this error when trying to user AWS CodeGuru How to correctly set-up Amazon SES How to get AccessToken or Session string in WinUI 3 application to initiate set up of AWS Cognito MFA How to setup MFA to other IAM user in AWS? What is the correct way to set up AWS credentials to work with MFA and be able to assume roles as named profiles via AWS Toolkit in VScode? How do I configure AWS MFA for Terraform? I'm trying to set up ruby on rails git deployment to AWS Elastic Beanstalk; “eb init” failing
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM