Allows MFA-authenticated IAM users to manage their own MFA device on the My security credentials page
This example shows how you might create an identity-based policy that allows IAM users that are authenticated through multi-factor authentication (MFA) to manage their own MFA device on the My security credentials page. This AWS Management Console page displays account and user information, but the user can only view and edit their own MFA device.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowViewAccountInfo",
"Effect": "Allow",
"Action": "iam:ListVirtualMFADevices",
"Resource": "*"
},
{
"Sid": "AllowManageOwnVirtualMFADevice",
"Effect": "Allow",
"Action": [
"iam:CreateVirtualMFADevice"
],
"Resource": "arn:aws:iam::*:mfa/*"
},
{
"Sid": "AllowManageOwnUserMFA",
"Effect": "Allow",
"Action": [
"iam:DeactivateMFADevice",
"iam:EnableMFADevice",
"iam:GetUser",
"iam:ListMFADevices",
"iam:ResyncMFADevice"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "DenyAllExceptListedIfNoMFA",
"Effect": "Deny",
"NotAction": [
"iam:CreateVirtualMFADevice",
"iam:EnableMFADevice",
"iam:GetUser",
"iam:ListMFADevices",
"iam:ListVirtualMFADevices",
"iam:ResyncMFADevice",
"sts:GetSessionToken"
],
"Resource": "*",
"Condition": {
"BoolIfExists": {"aws:MultiFactorAuthPresent": "false"}
}
}
]
}-
The
AllowViewAccountInfostatement allows the user to view details about a virtual MFA device that is enabled for the user. This permission must be in its own statement because it does not support specifying a resource ARN. Instead you must specify"Resource" : "*". -
The
AllowManageOwnVirtualMFADevicestatement allows the user to create their own virtual MFA device. The resource ARN in this statement allows the user to create an MFA device with any name, but the other statements in the policy only allow the user to attach the device to the currently signed-in user. -
The
AllowManageOwnUserMFAstatement allows the user to view or manage their own virtual, U2F, or hardware MFA device. The resource ARN in this statement allows access to only the user's own IAM user. Users can't view or manage the MFA device for other users. -
The
DenyAllExceptListedIfNoMFAstatement denies access to every action in all AWS services, except a few listed actions, but only if the user is not signed in with MFA. The statement uses a combination of"Deny"and"NotAction"to explicitly deny access to every action that is not listed. The items listed are not denied or allowed by this statement. However, the actions are allowed by other statements in the policy. For more information about the logic for this statement, see NotAction with Deny. If the user is signed in with MFA, then theConditiontest fails and this statement does not deny any actions. In this case, other policies or statements for the user determine the user's permissions.
This statement ensures that when the user is not signed in with MFA, they can perform only the listed actions. In addition, they can perform the listed actions only if another statement or policy allows access to those actions.
The ...IfExists version of the Bool operator ensures that if the aws:MultiFactorAuthPresent key is missing, the condition returns true. This means that a user accessing an API operation with long-term credentials, such as an access key, is denied access to the non-IAM API operations.
This policy does not allow users to view the Users page in the IAM console or use that page to access their own user information. To allow this, add the iam:ListUsers action to the AllowViewAccountInfo statement and the DenyAllExceptListedIfNoMFA statement.