具有MFA的AWS PowerUser（IAM策略）

Question

我模仿了PowerUser策略并添加了MFA条件，导致MFA-PowerUser如下所示

{
"Version": "2012-10-17",
"Statement": [
    {
        "Effect": "Allow",
        "NotAction": "iam:*",
        "Resource": "*",
        "Condition": {
            "Bool": {
                "aws:MultiFactorAuthPresent": "true"
            }
        }
    }
]

}

描述和意图是：

Provides full access to AWS services and resources, but does not allow management of Users and groups. MFA needed by login.

使用策略模拟器对EC2进行测试所有EC2操作均被拒绝，原因为

implicitly denied (no matching statement)

Answer 1

自己解决了。应该将环境变量MultiFactorAuthPresent提供给模拟器