我正在尝试为组织中的 AWS 用户设置 MFA
I am trying to set-up MFA for an AWS user in the organization
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1506369084151",
"Action": [
"iam:CreateVirtualMFADevice",
"iam:EnableMFADevice",
"iam:ListMFADevices",
"iam:ResyncMFADevice"
],
"Effect": "Allow",
"Resource": "arn:aws:iam::account_#:user/user_name"
}
]
}
我有上述政策,应该允许用户自行设置 MFA。
但是,当我测试此策略时(通过作为用户之一登录,我无法执行所需的操作)
我在政策片段中遗漏了什么?
PS:策略附加到我尝试登录的用户。所以这个愚蠢的错误被排除了。
这对我有用:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowEnableResyncDeleteListMFA",
"Effect": "Allow",
"Action": [
"iam:CreateVirtualMFADevice",
"iam:EnableMFADevice",
"iam:ResyncMFADevice",
"iam:DeleteVirtualMFADevice"
],
"Resource": [
"arn:aws:iam::AWS_ACCOUNT_ID:mfa/${aws:username}",
"arn:aws:iam::AWS_ACCOUNT_ID:user/${aws:username}"
]
},
{
"Sid": "AllowDeactivateMFA",
"Effect": "Allow",
"Action": [
"iam:DeactivateMFADevice"
],
"Resource": [
"arn:aws:iam::AWS_ACCOUNT_ID:mfa/${aws:username}",
"arn:aws:iam::AWS_ACCOUNT_ID:user/${aws:username}"
],
"Condition": {
"Bool": {
"aws:MultiFactorAuthPresent": true
}
}
},
{
"Effect": "Allow",
"Action": [
"iam:ListMFADevices",
"iam:ListVirtualMFADevices",
"iam:ListUsers"
],
"Resource": "*"
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1506369084151",
"Action": [
"iam:CreateVirtualMFADevice",
"iam:EnableMFADevice",
"iam:ListMFADevices",
"iam:ResyncMFADevice"
],
"Effect": "Allow",
"Resource": "arn:aws:iam::account_#:user/user_name"
}
]
}
我有上述政策,应该允许用户自行设置 MFA。 但是,当我测试此策略时(通过作为用户之一登录,我无法执行所需的操作)
我在政策片段中遗漏了什么?
PS:策略附加到我尝试登录的用户。所以这个愚蠢的错误被排除了。
这对我有用:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowEnableResyncDeleteListMFA",
"Effect": "Allow",
"Action": [
"iam:CreateVirtualMFADevice",
"iam:EnableMFADevice",
"iam:ResyncMFADevice",
"iam:DeleteVirtualMFADevice"
],
"Resource": [
"arn:aws:iam::AWS_ACCOUNT_ID:mfa/${aws:username}",
"arn:aws:iam::AWS_ACCOUNT_ID:user/${aws:username}"
]
},
{
"Sid": "AllowDeactivateMFA",
"Effect": "Allow",
"Action": [
"iam:DeactivateMFADevice"
],
"Resource": [
"arn:aws:iam::AWS_ACCOUNT_ID:mfa/${aws:username}",
"arn:aws:iam::AWS_ACCOUNT_ID:user/${aws:username}"
],
"Condition": {
"Bool": {
"aws:MultiFactorAuthPresent": true
}
}
},
{
"Effect": "Allow",
"Action": [
"iam:ListMFADevices",
"iam:ListVirtualMFADevices",
"iam:ListUsers"
],
"Resource": "*"
}
]
}