1 回答
- 最新
- 投票最多
- 评论最多
1
You can create a custom IAM policy named "all-users" with the following JSON policy document to achieve the requirements:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:ListMFADevices",
"iam:ListVirtualMFADevices"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"iam:CreateVirtualMFADevice",
"iam:EnableMFADevice",
"iam:DeactivateMFADevice"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Effect": "Allow",
"Action": "iam:DeleteVirtualMFADevice",
"Resource": "arn:aws:iam::*:mfa/${aws:username}",
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "true"
}
}
}
]
}
This policy will allow users to create and list MFA devices and tags, enable and deactivate their own MFA devices, and delete their own virtual MFA devices if MFA is enabled.
Why don't you post what you think should work, and what goes wrong? Then we can suggest adjustments.