具有MFA的AWS PowerUser(IAM策略)

时间:2016-01-17 18:18:06

标签: amazon-web-services

我模仿了PowerUser策略并添加了MFA条件,导致MFA-PowerUser如下所示

{
"Version": "2012-10-17",
"Statement": [
    {
        "Effect": "Allow",
        "NotAction": "iam:*",
        "Resource": "*",
        "Condition": {
            "Bool": {
                "aws:MultiFactorAuthPresent": "true"
            }
        }
    }
]

}

描述和意图是:

Provides full access to AWS services and resources, but does not allow management of Users and groups. MFA needed by login.

使用策略模拟器对EC2进行测试所有EC2操作均被拒绝,原因为

implicitly denied (no matching statement)

1 个答案:

答案 0 :(得分:3)

自己解决了。应该将环境变量MultiFactorAuthPresent提供给模拟器