{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1506369084151",
"Action": [
"iam:CreateVirtualMFADevice",
"iam:EnableMFADevice",
"iam:ListMFADevices",
"iam:ResyncMFADevice"
],
"Effect": "Allow",
"Resource": "arn:aws:iam::account_#:user/user_name"
}
]
}
我有上述政策,应该让用户自己设置MFA。 但是,当我测试此策略时(通过以其中一个用户身份登录,我无法执行所需的操作)
政策代码段中缺少什么?
PS:该策略附加到我尝试登录的用户。所以这个愚蠢的错误被排除了。
答案 0 :(得分:2)
这对我有用:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowEnableResyncDeleteListMFA",
"Effect": "Allow",
"Action": [
"iam:CreateVirtualMFADevice",
"iam:EnableMFADevice",
"iam:ResyncMFADevice",
"iam:DeleteVirtualMFADevice"
],
"Resource": [
"arn:aws:iam::AWS_ACCOUNT_ID:mfa/${aws:username}",
"arn:aws:iam::AWS_ACCOUNT_ID:user/${aws:username}"
]
},
{
"Sid": "AllowDeactivateMFA",
"Effect": "Allow",
"Action": [
"iam:DeactivateMFADevice"
],
"Resource": [
"arn:aws:iam::AWS_ACCOUNT_ID:mfa/${aws:username}",
"arn:aws:iam::AWS_ACCOUNT_ID:user/${aws:username}"
],
"Condition": {
"Bool": {
"aws:MultiFactorAuthPresent": true
}
}
},
{
"Effect": "Allow",
"Action": [
"iam:ListMFADevices",
"iam:ListVirtualMFADevices",
"iam:ListUsers"
],
"Resource": "*"
}
]
}