1 Answer
- Newest
- Most votes
- Most comments
1
You can create a custom IAM policy named "all-users" with the following JSON policy document to achieve the requirements:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:ListMFADevices",
"iam:ListVirtualMFADevices"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"iam:CreateVirtualMFADevice",
"iam:EnableMFADevice",
"iam:DeactivateMFADevice"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Effect": "Allow",
"Action": "iam:DeleteVirtualMFADevice",
"Resource": "arn:aws:iam::*:mfa/${aws:username}",
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "true"
}
}
}
]
}
This policy will allow users to create and list MFA devices and tags, enable and deactivate their own MFA devices, and delete their own virtual MFA devices if MFA is enabled.
Relevant content
- asked 2 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
Why don't you post what you think should work, and what goes wrong? Then we can suggest adjustments.