By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

What permissions to give users to manage their own MFA devices

0

I have IAM users and I want them to manage their own MFA devices. Create them, list them and remove them. They may choose any name they'd like to identify the MFA devices.

I used to have a permission like this:

      {
        Action = [
          "iam:ListMFADevices"
        ],
        Resource = [
          "arn:aws:iam::*:mfa/$${aws:username}",
          "arn:aws:iam::*:user/$${aws:username}"
        ],
        Effect = "Allow"
      },
      {
        Action = [
          "iam:CreateVirtualMFADevice",
          "iam:DeleteVirtualMFADevice",
          "iam:EnableMFADevice",
          "iam:ResyncMFADevice"
        ],
        Resource = [
          "arn:aws:iam::*:mfa/$${aws:username}",
          "arn:aws:iam::*:user/$${aws:username}"
        ],
        Effect = "Allow"
      },

But it seems that in this case the MFA device MUST be named the same as the AWS username. And that is not what I want.

So my question is: what if I change "arn:aws:iam::*:mfa/$${aws:username}", to "arn:aws:iam::*:mfa/*", (and keep the rest the same), can this user then manage MFA devices for all users? Or just for his own account? I can't really find a clear answer on how this should work.

Topics
Security, Identity, & ComplianceManagement & Governance
Tags
AWS Identity and Access ManagementAWS Management ConsoleAWS Account Management
Language
English
mattie
asked 23 days ago234 views
3 Answers
2

If you change the resource ARN from "arn:aws:iam:::mfa/$${aws:username}" to "arn:aws:iam:::mfa/*", the IAM user will have permissions to manage MFA devices for all users within the AWS account.

****Here's how the updated policy will work:

"arn:aws:iam:::mfa/": This resource ARN pattern represents all MFA devices in the AWS account, regardless of the user they are associated with. By using this wildcard (*), the IAM user will have permissions to manage MFA devices for all users in the account.

"arn:aws:iam::*:user/$${aws:username}": This resource ARN pattern specifies the IAM user itself, allowing the user to manage their own MFA device.

With this policy configuration, the IAM user will be able to:

Manage their own MFA device (due to the "arn:aws:iam::*:user/$${aws:username}" resource ARN).

Manage MFA devices for all users in the AWS account (due to the "arn:aws:iam:::mfa/" resource ARN).

This might helps too :- https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_users-self-manage-mfa-and-creds.html

https://medium.com/@debolek4dem/risks-of-broad-permissions-for-creating-mfa-devices-c7ab3d7b93f3

profile picture
EXPERT
A_J
answered 23 days ago
profile pictureAWS
EXPERT
iBehr
reviewed 23 days ago
  • mattie
    23 days ago

    So the difference then would be to allow CreateMFA to "mfa/*" but others tp user/${aws:username}". Would this not allow the user to create a MFA device for all users then?

  • A_J EXPERT
    23 days ago

    Yes, allowing CreateVirtualMFADevice to arn:aws:iam:::mfa/ while restricting other actions to arn:aws:iam::*:user/${aws:username} would permit the user to create MFA devices for any user, not just themselves. This can create a security risk as it grants broader permissions than intended. you can read more about it here :- https://medium.com/@debolek4dem/risks-of-broad-permissions-for-creating-mfa-devices-c7ab3d7b93f3

2

hello, Here's a more concise version of the policy that allows IAM users to manage their own MFA devices:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "iam:ListMFADevices",
        "iam:ListVirtualMFADevices"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "iam:CreateVirtualMFADevice",
        "iam:DeleteVirtualMFADevice"
      ],
      "Resource": "arn:aws:iam::${aws:accountId}:mfa/*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "iam:EnableMFADevice",
        "iam:ResyncMFADevice",
        "iam:DeactivateMFADevice",
        "iam:DeleteVirtualMFADevice"
      ],
      "Resource": "arn:aws:iam::${aws:accountId}:user/${aws:username}"
    }
  ]
}

1.List MFA Devices: Allows listing of all MFA devices.

{
  "Effect": "Allow",
  "Action": [
    "iam:ListMFADevices",
    "iam:ListVirtualMFADevices"
  ],
  "Resource": "*"
}

3.Manage Own MFA Device: Allows enabling, resyncing, deactivating, and deleting the virtual MFA device for the user's own account.

{
  "Effect": "Allow",
  "Action": [
    "iam:EnableMFADevice",
    "iam:ResyncMFADevice",
    "iam:DeactivateMFADevice",
    "iam:DeleteVirtualMFADevice"
  ],
  "Resource": "arn:aws:iam::${aws:accountId}:user/${aws:username}"
}

This policy allows IAM users to fully manage their own MFA devices without impacting other users' MFA devices. i hope this will resolve your issue.

profile picture
kranthi putti
answered 23 days ago
0

Hello,

To give the permission to a user to access and modify their own MFA devices create a policy with below Json code and attach that policy to user or group, so they can access it.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iam:ListMFADevices", "iam:ListVirtualMFADevices", "iam:CreateVirtualMFADevice", "iam:EnableMFADevice", "iam:DeactivateMFADevice", "iam:DeleteVirtualMFADevice" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "iam:ResyncMFADevice" ], "Resource": "arn:aws:iam::*:mfa/${aws:username}" } ] }

profile picture
Mahaboob Basha
answered 23 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content