EjemplosPoliticasAWS/AWSgeneral/IAMporMFAMySecurityCredentials.json

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowViewAccountInfo",
            "Effect": "Allow",
            "Action": [
                "iam:GetAccountPasswordPolicy",
                "iam:ListVirtualMFADevices"
            ],
            "Resource": "*"
        },
        {
            "Sid": "AllowManageOwnPasswords",
            "Effect": "Allow",
            "Action": [
                "iam:ChangePassword",
                "iam:GetUser"
            ],
            "Resource": "arn:aws:iam::*:user/${aws:username}"
        },
        {
            "Sid": "AllowManageOwnAccessKeys",
            "Effect": "Allow",
            "Action": [
                "iam:CreateAccessKey",
                "iam:DeleteAccessKey",
                "iam:ListAccessKeys",
                "iam:UpdateAccessKey"
            ],
            "Resource": "arn:aws:iam::*:user/${aws:username}"
        },
        {
            "Sid": "AllowManageOwnSigningCertificates",
            "Effect": "Allow",
            "Action": [
                "iam:DeleteSigningCertificate",
                "iam:ListSigningCertificates",
                "iam:UpdateSigningCertificate",
                "iam:UploadSigningCertificate"
            ],
            "Resource": "arn:aws:iam::*:user/${aws:username}"
        },
        {
            "Sid": "AllowManageOwnSSHPublicKeys",
            "Effect": "Allow",
            "Action": [
                "iam:DeleteSSHPublicKey",
                "iam:GetSSHPublicKey",
                "iam:ListSSHPublicKeys",
                "iam:UpdateSSHPublicKey",
                "iam:UploadSSHPublicKey"
            ],
            "Resource": "arn:aws:iam::*:user/${aws:username}"
        },
        {
            "Sid": "AllowManageOwnGitCredentials",
            "Effect": "Allow",
            "Action": [
                "iam:CreateServiceSpecificCredential",
                "iam:DeleteServiceSpecificCredential",
                "iam:ListServiceSpecificCredentials",
                "iam:ResetServiceSpecificCredential",
                "iam:UpdateServiceSpecificCredential"
            ],
            "Resource": "arn:aws:iam::*:user/${aws:username}"
        },
        {
            "Sid": "AllowManageOwnVirtualMFADevice",
            "Effect": "Allow",
            "Action": [
                "iam:CreateVirtualMFADevice",
                "iam:DeleteVirtualMFADevice"
            ],
            "Resource": "arn:aws:iam::*:mfa/${aws:username}"
        },
        {
            "Sid": "AllowManageOwnUserMFA",
            "Effect": "Allow",
            "Action": [
                "iam:DeactivateMFADevice",
                "iam:EnableMFADevice",
                "iam:ListMFADevices",
                "iam:ResyncMFADevice"
            ],
            "Resource": "arn:aws:iam::*:user/${aws:username}"
        },
        {
            "Sid": "DenyAllExceptListedIfNoMFA",
            "Effect": "Deny",
            "NotAction": [
                "iam:CreateVirtualMFADevice",
                "iam:EnableMFADevice",
                "iam:GetUser",
                "iam:ListMFADevices",
                "iam:ListVirtualMFADevices",
                "iam:ResyncMFADevice",
                "sts:GetSessionToken"
            ],
            "Resource": "*",
            "Condition": {
                "BoolIfExists": {
                    "aws:MultiFactorAuthPresent": "false"
                }
            }
        }
    ]
}
Primeras politicas 2022-08-31 14:22:42 +02:00			`{`
			`"Version": "2012-10-17",`
			`"Statement": [`
			`{`
			`"Sid": "AllowViewAccountInfo",`
			`"Effect": "Allow",`
			`"Action": [`
			`"iam:GetAccountPasswordPolicy",`
			`"iam:ListVirtualMFADevices"`
			`],`
			`"Resource": "*"`
			`},`
			`{`
			`"Sid": "AllowManageOwnPasswords",`
			`"Effect": "Allow",`
			`"Action": [`
			`"iam:ChangePassword",`
			`"iam:GetUser"`
			`],`
			`"Resource": "arn:aws:iam::*:user/${aws:username}"`
			`},`
			`{`
			`"Sid": "AllowManageOwnAccessKeys",`
			`"Effect": "Allow",`
			`"Action": [`
			`"iam:CreateAccessKey",`
			`"iam:DeleteAccessKey",`
			`"iam:ListAccessKeys",`
			`"iam:UpdateAccessKey"`
			`],`
			`"Resource": "arn:aws:iam::*:user/${aws:username}"`
			`},`
			`{`
			`"Sid": "AllowManageOwnSigningCertificates",`
			`"Effect": "Allow",`
			`"Action": [`
			`"iam:DeleteSigningCertificate",`
			`"iam:ListSigningCertificates",`
			`"iam:UpdateSigningCertificate",`
			`"iam:UploadSigningCertificate"`
			`],`
			`"Resource": "arn:aws:iam::*:user/${aws:username}"`
			`},`
			`{`
			`"Sid": "AllowManageOwnSSHPublicKeys",`
			`"Effect": "Allow",`
			`"Action": [`
			`"iam:DeleteSSHPublicKey",`
			`"iam:GetSSHPublicKey",`
			`"iam:ListSSHPublicKeys",`
			`"iam:UpdateSSHPublicKey",`
			`"iam:UploadSSHPublicKey"`
			`],`
			`"Resource": "arn:aws:iam::*:user/${aws:username}"`
			`},`
			`{`
			`"Sid": "AllowManageOwnGitCredentials",`
			`"Effect": "Allow",`
			`"Action": [`
			`"iam:CreateServiceSpecificCredential",`
			`"iam:DeleteServiceSpecificCredential",`
			`"iam:ListServiceSpecificCredentials",`
			`"iam:ResetServiceSpecificCredential",`
			`"iam:UpdateServiceSpecificCredential"`
			`],`
			`"Resource": "arn:aws:iam::*:user/${aws:username}"`
			`},`
			`{`
			`"Sid": "AllowManageOwnVirtualMFADevice",`
			`"Effect": "Allow",`
			`"Action": [`
			`"iam:CreateVirtualMFADevice",`
			`"iam:DeleteVirtualMFADevice"`
			`],`
			`"Resource": "arn:aws:iam::*:mfa/${aws:username}"`
			`},`
			`{`
			`"Sid": "AllowManageOwnUserMFA",`
			`"Effect": "Allow",`
			`"Action": [`
			`"iam:DeactivateMFADevice",`
			`"iam:EnableMFADevice",`
			`"iam:ListMFADevices",`
			`"iam:ResyncMFADevice"`
			`],`
			`"Resource": "arn:aws:iam::*:user/${aws:username}"`
			`},`
			`{`
			`"Sid": "DenyAllExceptListedIfNoMFA",`
			`"Effect": "Deny",`
			`"NotAction": [`
			`"iam:CreateVirtualMFADevice",`
			`"iam:EnableMFADevice",`
			`"iam:GetUser",`
			`"iam:ListMFADevices",`
			`"iam:ListVirtualMFADevices",`
			`"iam:ResyncMFADevice",`
			`"sts:GetSessionToken"`
			`],`
			`"Resource": "*",`
			`"Condition": {`
			`"BoolIfExists": {`
			`"aws:MultiFactorAuthPresent": "false"`
			`}`
			`}`
			`}`
			`]`
			`}`