我模仿了PowerUser策略并添加了MFA条件,导致MFA-PowerUser如下所示
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"NotAction": "iam:*",
"Resource": "*",
"Condition": {
"Bool": {
"aws:MultiFactorAuthPresent": "true"
}
}
}
]
}
描述和意图是:
Provides full access to AWS services and resources, but does not allow management of Users and groups. MFA needed by login.
使用策略模拟器对EC2进行测试所有EC2操作均被拒绝,原因为
implicitly denied (no matching statement)
答案 0 :(得分:3)
自己解决了。应该将环境变量MultiFactorAuthPresent提供给模拟器