Question

我想向新用户发送他们的IAM用户名和临时凭据，然后要求他们更改密码并要求他们配置自己的虚拟MFA 才能访问任何内容否则在控制台中。

1）创建用户时，我显然可以生成临时密码，并要求他们在首次登录时更改密码。 Security Credentials-->Manage Password-->'Require user to create a new password at next sign-in'.

2）以下政策将permit IAM users to change their own passwords：

{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Action": [
      "iam:ChangePassword",
      "iam:GetAccountPasswordPolicy"
    ],
    "Resource": "*"
  }
}

3）以下政策allows users to manage only their own virtual mfa devices：

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowUsersToCreateEnableResyncDeleteTheirOwnVirtualMFADevice",
      "Effect": "Allow",
      "Action": [
        "iam:CreateVirtualMFADevice",
        "iam:EnableMFADevice",
        "iam:ResyncMFADevice",
        "iam:DeleteVirtualMFADevice"
      ],
      "Resource": [
        "arn:aws:iam::account-id-without-hyphens:mfa/${aws:username}",
        "arn:aws:iam::account-id-without-hyphens:user/${aws:username}"
      ]
    },
    {
      "Sid": "AllowUsersToDeactivateTheirOwnVirtualMFADevice",
      "Effect": "Allow",
      "Action": [
        "iam:DeactivateMFADevice"
      ],
      "Resource": [
        "arn:aws:iam::account-id-without-hyphens:mfa/${aws:username}",
        "arn:aws:iam::account-id-without-hyphens:user/${aws:username}"
      ],
      "Condition": {
        "Bool": {
          "aws:MultiFactorAuthPresent": true
        }
      }
    },
    {
      "Sid": "AllowUsersToListMFADevicesandUsersForConsole",
      "Effect": "Allow",
      "Action": [
        "iam:ListMFADevices",
        "iam:ListVirtualMFADevices",
        "iam:ListUsers"
      ],
      "Resource": "*"
    }
  ]
}

使用上述三种方法我可以要求他们更改密码并允许他们配置自己的虚拟MFA设备，我只是不知道是否有办法要求他们配置MFA

Answer 1

我发布了完整的解决方案，因为它不是Can you require MFA for AWS IAM accounts?的副本，这非常有用，但不是允许新的IAM用户登录控制台，更改的完整解决方案他们的密码并自行添加他们自己的虚拟MFA 。

1）创建托管策略以允许用户change their own passwords：

{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Action": [
      "iam:ChangePassword",
      "iam:GetAccountPasswordPolicy"
    ],
    "Resource": "*"
  }
}

2）创建托管策略以允许用户manage their own virtual mfa devices：

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowUsersToCreateEnableResyncDeleteTheirOwnVirtualMFADevice",
      "Effect": "Allow",
      "Action": [
        "iam:CreateVirtualMFADevice",
        "iam:EnableMFADevice",
        "iam:ResyncMFADevice",
        "iam:DeleteVirtualMFADevice"
      ],
      "Resource": [
        "arn:aws:iam::account-id-without-hyphens:mfa/${aws:username}",
        "arn:aws:iam::account-id-without-hyphens:user/${aws:username}"
      ]
    },
    {
      "Sid": "AllowUsersToDeactivateTheirOwnVirtualMFADevice",
      "Effect": "Allow",
      "Action": [
        "iam:DeactivateMFADevice"
      ],
      "Resource": [
        "arn:aws:iam::account-id-without-hyphens:mfa/${aws:username}",
        "arn:aws:iam::account-id-without-hyphens:user/${aws:username}"
      ],
      "Condition": {
        "Bool": {
          "aws:MultiFactorAuthPresent": true
        }
      }
    },
    {
      "Sid": "AllowUsersToListMFADevicesandUsersForConsole",
      "Effect": "Allow",
      "Action": [
        "iam:ListMFADevices",
        "iam:ListVirtualMFADevices",
        "iam:ListUsers"
      ],
      "Resource": "*"
    }
  ]
}

3）将以下条件添加到您要求MFA的所有政策中：

{
    "Version": "2012-10-17",
    "Statement": [{
        "Sid": "ReadOnlyEC2RequireMFA",
        "Action": [
            "ec2:Describe*"
        ],
        "Effect": "Allow",
        "Resource": "*",
        "Condition": {
            "Null": {
                "aws:MultiFactorAuthAge": "false"
            }
        }
    }]
}

4）当您创建新的IAM用户并为其分配密码时，请选中“要求用户在下次登录时创建新密码”框并应用上述三个托管策略（或将托管策略分配给分组并将用户添加到组中。

现在将用户名和临时密码分发给新的IAM用户。当他们登录时会提示他们更改密码，然后他们只能进入IAM，选择他们自己的用户帐户和add their own MFA device。他们需要注销并使用MFA重新登录才能获得ec2:Describe*权限。

AWS IAM策略：要求用户自行配置MFA

1 个答案: