{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1506369084151",
"Action": [
"iam:CreateVirtualMFADevice",
"iam:EnableMFADevice",
"iam:ListMFADevices",
"iam:ResyncMFADevice"
],
"Effect": "Allow",
"Resource": "arn:aws:iam::account_#:user/user_name"
}
]
}
I have this above policy which should enable users to set-up MFA by themselves. However, when I test this policy (by logging in as one of the users, I am not able to perform the desired action)
What am I missing in the policy snippet?
PS: The policy is attached to the user I try to log-in as. So this silly mistake is ruled out.
This works for me:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowEnableResyncDeleteListMFA",
"Effect": "Allow",
"Action": [
"iam:CreateVirtualMFADevice",
"iam:EnableMFADevice",
"iam:ResyncMFADevice",
"iam:DeleteVirtualMFADevice"
],
"Resource": [
"arn:aws:iam::AWS_ACCOUNT_ID:mfa/${aws:username}",
"arn:aws:iam::AWS_ACCOUNT_ID:user/${aws:username}"
]
},
{
"Sid": "AllowDeactivateMFA",
"Effect": "Allow",
"Action": [
"iam:DeactivateMFADevice"
],
"Resource": [
"arn:aws:iam::AWS_ACCOUNT_ID:mfa/${aws:username}",
"arn:aws:iam::AWS_ACCOUNT_ID:user/${aws:username}"
],
"Condition": {
"Bool": {
"aws:MultiFactorAuthPresent": true
}
}
},
{
"Effect": "Allow",
"Action": [
"iam:ListMFADevices",
"iam:ListVirtualMFADevices",
"iam:ListUsers"
],
"Resource": "*"
}
]
}