74 lines
2.1 KiB
JSON
74 lines
2.1 KiB
JSON
{
|
|
"Version": "2012-10-17",
|
|
"Statement": [
|
|
{
|
|
"Sid": "AllowListActions",
|
|
"Effect": "Allow",
|
|
"Action": [
|
|
"iam:ListUsers",
|
|
"iam:ListVirtualMFADevices"
|
|
],
|
|
"Resource": "*"
|
|
},
|
|
{
|
|
"Sid": "AllowIndividualUserToListOnlyTheirOwnMFA",
|
|
"Effect": "Allow",
|
|
"Action": [
|
|
"iam:ListMFADevices"
|
|
],
|
|
"Resource": [
|
|
"arn:aws:iam::*:mfa/*",
|
|
"arn:aws:iam::*:user/${aws:username}"
|
|
]
|
|
},
|
|
{
|
|
"Sid": "AllowIndividualUserToManageTheirOwnMFA",
|
|
"Effect": "Allow",
|
|
"Action": [
|
|
"iam:CreateVirtualMFADevice",
|
|
"iam:DeleteVirtualMFADevice",
|
|
"iam:EnableMFADevice",
|
|
"iam:ResyncMFADevice"
|
|
],
|
|
"Resource": [
|
|
"arn:aws:iam::*:mfa/${aws:username}",
|
|
"arn:aws:iam::*:user/${aws:username}"
|
|
]
|
|
},
|
|
{
|
|
"Sid": "AllowIndividualUserToDeactivateOnlyTheirOwnMFAOnlyWhenUsingMFA",
|
|
"Effect": "Allow",
|
|
"Action": [
|
|
"iam:DeactivateMFADevice"
|
|
],
|
|
"Resource": [
|
|
"arn:aws:iam::*:mfa/${aws:username}",
|
|
"arn:aws:iam::*:user/${aws:username}"
|
|
],
|
|
"Condition": {
|
|
"Bool": {
|
|
"aws:MultiFactorAuthPresent": "true"
|
|
}
|
|
}
|
|
},
|
|
{
|
|
"Sid": "BlockMostAccessUnlessSignedInWithMFA",
|
|
"Effect": "Deny",
|
|
"NotAction": [
|
|
"iam:CreateVirtualMFADevice",
|
|
"iam:EnableMFADevice",
|
|
"iam:ListMFADevices",
|
|
"iam:ListUsers",
|
|
"iam:ListVirtualMFADevices",
|
|
"iam:ResyncMFADevice"
|
|
],
|
|
"Resource": "*",
|
|
"Condition": {
|
|
"BoolIfExists": {
|
|
"aws:MultiFactorAuthPresent": "false"
|
|
}
|
|
}
|
|
}
|
|
]
|
|
}
|