1 個回答
- 最新
- 最多得票
- 最多評論
1
You can create a custom IAM policy named "all-users" with the following JSON policy document to achieve the requirements:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:ListMFADevices",
"iam:ListVirtualMFADevices"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"iam:CreateVirtualMFADevice",
"iam:EnableMFADevice",
"iam:DeactivateMFADevice"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Effect": "Allow",
"Action": "iam:DeleteVirtualMFADevice",
"Resource": "arn:aws:iam::*:mfa/${aws:username}",
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "true"
}
}
}
]
}
This policy will allow users to create and list MFA devices and tags, enable and deactivate their own MFA devices, and delete their own virtual MFA devices if MFA is enabled.
相關內容
- 已提問 6 個月前
- AWS 官方已更新 2 年前
Why don't you post what you think should work, and what goes wrong? Then we can suggest adjustments.