By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

CloudFormation does not know that IAM resource paths may now begin with "u2f/", do I have this wrong?

0

I am trying to use CloudFormation to update an IAM group's policy that permits humans to manage their credentials, so that I can allow them to add U2F security keys. To the list of Resources in a couple of places I am adding:

  • arn:aws:iam::111122223333:u2f/user/${aws:username}/* However, CloudFormation kicks out the change saying, "IAM resource path must either be "*" or start with user/, federated-user/, role/, group/, instance-profile/, mfa/, server-certificate/, policy/, sms-mfa/, saml-provider/, oidc-provider/, report/, access-report/". Do I have that resource format wrong, or does "u2f/" need to be added to CloudFormation's list?
Topics
Security, Identity, & ComplianceManagement & Governance
Tags
AWS Identity and Access ManagementAWS CloudFormation
Language
English
rePost-User-2556592
asked a year ago199 views
1 Answer
0

I think you can add it as a policy in the cloudformation https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-policy.html

Here you have how the u2f policy looks in a policy https://beginaws.awsstudygroup.com/1-account-setup/2-mfa-setup-for-aws-user-root/2-u2f-security-key/

The you manage with IAM the users or roles that you want to have the permissions to edit that policies

Take in account the u2f is for MFA, so you can use that prefix https://aws.amazon.com/iam/features/mfa/

Hope this helps

AWS
Pilar Pinto
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content