how to create account following info in IAM policy.

Question

Hello,

i'm trying to finish a lab, but got stuck at this one.

"create a policy called all-users which covers the following:
1. Users can create/list all MFA devices (including virtual) and list MFA device tags.
2. Users can only enable/deactivate their own MFA devices.
3. Users can only delete their own virtual MFA device on the condition that they have enabled MFA.

You'll need to use Policy variables such as ${aws:username}."

now, trying to create this, but never able to figure out what exactly has to be done where I can't go to next step.
could someone help figuring out what has to be done exactly?

Thank you

Answer

You can create a custom IAM policy named "all-users" with the following JSON policy document to achieve the requirements:

```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "iam:ListMFADevices",
                "iam:ListVirtualMFADevices"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:CreateVirtualMFADevice",
                "iam:EnableMFADevice",
                "iam:DeactivateMFADevice"
            ],
            "Resource": "arn:aws:iam::*:user/${aws:username}"
        },
        {
            "Effect": "Allow",
            "Action": "iam:DeleteVirtualMFADevice",
            "Resource": "arn:aws:iam::*:mfa/${aws:username}",
            "Condition": {
                "BoolIfExists": {
                    "aws:MultiFactorAuthPresent": "true"
                }
            }
        }
    ]
}

```
This policy will allow users to create and list MFA devices and tags, enable and deactivate their own MFA devices, and delete their own virtual MFA devices if MFA is enabled.

how to create account following info in IAM policy.

関連するコンテンツ