in

How to create an IAM policy to allow users to manage their MFA settings and AWS credentials?

AWS IAM lets you securely control AWS resources and give permissions to different users. To determine the permission for a particular user, we have IAM policies that give permission for action. For example, a policy with a GetUser action will allow the users to get user information from the AWS management console, API, or CLI. 

You can also allow your users to manage their own multi-factor authentication (MFA) devices and credentials. If you have a small user base then you can do this task manually and can assign MFA devices to your users and can manage their credentials but what if you have a large userbase? This will become a difficult task to set up things for everyone. Here comes the IAM policy. In this tutorial, we show you how you can allow your users to manage their credentials and MFA settings. 

But before we start make sure you’ve all these things:

  • An AWS account in which you can sign in to IAM with Administrative permission
  • Your Account ID number
  • A Virtual or hardware-based MFA device
  • A test user member of a user group as following:

User name: MFAUser [Only AWS management console access]

User group name: EC2MFA [Add test user as a member in it and do not attach any policy with this user group]

Create an IAM Policy for MFA Sign-in

  1. Sign in to your AWS account with administrative access and open the IAM console. 
  2. In the left side panel, choose the policy option and then click on create policy.
  3. Click on JSON and paste the following code there. 

{

    “Version”: “2012-10-17”,

    “Statement”: [

        {

            “Sid”: “AllowViewAccountInfo”,

            “Effect”: “Allow”,

            “Action”: [

                “iam:GetAccountPasswordPolicy”,

                

                “iam:ListVirtualMFADevices”

            ],

            “Resource”: “*”

        },       

        {

            “Sid”: “AllowManageOwnPasswords”,

            “Effect”: “Allow”,

            “Action”: [

                “iam:ChangePassword”,

                “iam:GetUser”

            ],

            “Resource”: “arn:aws:iam::*:user/${aws:username}”

        },

        {

            “Sid”: “AllowManageOwnAccessKeys”,

            “Effect”: “Allow”,

            “Action”: [

                “iam:CreateAccessKey”,

                “iam:DeleteAccessKey”,

                “iam:ListAccessKeys”,

                “iam:UpdateAccessKey”

            ],

            “Resource”: “arn:aws:iam::*:user/${aws:username}”

        },

        {

            “Sid”: “AllowManageOwnSigningCertificates”,

            “Effect”: “Allow”,

            “Action”: [

                “iam:DeleteSigningCertificate”,

                “iam:ListSigningCertificates”,

                “iam:UpdateSigningCertificate”,

                “iam:UploadSigningCertificate”

            ],

            “Resource”: “arn:aws:iam::*:user/${aws:username}”

        },

        {

            “Sid”: “AllowManageOwnSSHPublicKeys”,

            “Effect”: “Allow”,

            “Action”: [

                “iam:DeleteSSHPublicKey”,

                “iam:GetSSHPublicKey”,

                “iam:ListSSHPublicKeys”,

                “iam:UpdateSSHPublicKey”,

                “iam:UploadSSHPublicKey”

            ],

            “Resource”: “arn:aws:iam::*:user/${aws:username}”

        },

        {

            “Sid”: “AllowManageOwnGitCredentials”,

            “Effect”: “Allow”,

            “Action”: [

                “iam:CreateServiceSpecificCredential”,

                “iam:DeleteServiceSpecificCredential”,

                “iam:ListServiceSpecificCredentials”,

                “iam:ResetServiceSpecificCredential”,

                “iam:UpdateServiceSpecificCredential”

            ],

            “Resource”: “arn:aws:iam::*:user/${aws:username}”

        },

        {

            “Sid”: “AllowManageOwnVirtualMFADevice”,

            “Effect”: “Allow”,

            “Action”: [

                “iam:CreateVirtualMFADevice”,

                “iam:DeleteVirtualMFADevice”

            ],

            “Resource”: “arn:aws:iam::*:mfa/${aws:username}”

        },

        {

            “Sid”: “AllowManageOwnUserMFA”,

            “Effect”: “Allow”,

            “Action”: [

                “iam:DeactivateMFADevice”,

                “iam:EnableMFADevice”,

                “iam:ListMFADevices”,

                “iam:ResyncMFADevice”

            ],

            “Resource”: “arn:aws:iam::*:user/${aws:username}”

        },

        {

            “Sid”: “DenyAllExceptListedIfNoMFA”,

            “Effect”: “Deny”,

            “NotAction”: [

                “iam:CreateVirtualMFADevice”,

                “iam:EnableMFADevice”,

                “iam:GetUser”,

                “iam:ListMFADevices”,

                “iam:ListVirtualMFADevices”,

                “iam:ResyncMFADevice”,

                “sts:GetSessionToken”

            ],

            “Resource”: “*”,

            “Condition”: {

                “BoolIfExists”: {

                    “aws:MultiFactorAuthPresent”: “false”

                }

            }

        }

    ]

}

  1. On the review page, type the policy name of your choice otherwise write Force_MFA and you can also add a description if you want. 
  2. Click on the Create Policy and your MFA Policy will be created. You can see the same in the policy tab.

Attach your policy to a user

Now we will attach the policy to a test user group that we have created previously or a user group of your choice. 

  1. From the left side, panel click User Group, and in the search box type the name of your user group in our case it is EC2MFA.
  2. In the permission tab, click on Add permission and then Attach policy
  3. In the search bar type EC2Full and check the box AmazonEC2FullAccess.
  4. Again in the search bar type, Force_MFA and click on the checkbox near to it. 
  5. And then click on the Attach Policy.

You have successfully created a policy for MFA and attached it with a user group.

What do you think?

Written by DANN N

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

Loading…

0