Let's Go

Blog

Permitting IAM users to manage MFA and password without giving admin rights

Sep 4, 2015 | Announcements, Migration, MSP

When we are building infrastructure for our clients, we make sure that user has least amount of privileges. This walk though guide you through giving user enough permissions to manage their MFA and password without giving them admin rights.

1. Navigate to IAM and click on create policy and select Create Your Own Policy

2.  Paste in the policy below ( change the account number with your account number)

{
 "Version": "2012-10-17",
   "Statement": [
    {
      "Sid": "AllowUsersToCreateEnableResyncTheirOwnVirtualMFADevice",
      "Effect": "Allow",
      "Action": [
        "iam:CreateVirtualMFADevice",
        "iam:EnableMFADevice",
        "iam:ResyncMFADevice"
      ],
      "Resource": [
        "arn:aws:iam::account-id-without-hyphens:mfa/${aws:username}", "arn:aws:iam::account-id-without-hyphens:user/${aws:username}" ] }, { "Sid": "AllowUsersToDeactivateDeleteTheirOwnVirtualMFADevice", "Effect": "Allow", "Action": [ "iam:DeactivateMFADevice", "iam:DeleteVirtualMFADevice" ], "Resource": [ "arn:aws:iam::account-id-without-hyphens:mfa/${aws:username}", "arn:aws:iam::account-id-without-hyphens:user/${aws:username}" ], "Condition": { "Bool": { "aws:MultiFactorAuthPresent": true } } }, { "Sid": "AllowUsersToListMFADevicesandUsersForConsole", "Effect": "Allow", "Action": [ "iam:ListMFADevices", "iam:ListVirtualMFADevices", "iam:ListUsers" ], "Resource": "*" } ] }

3. Now you goto IAM user and attach this policy to the user

4.  Lastly, in order to allow user to manage their own password, goto Account Settings under IAM and select Allow users to change their own password

GET SUBSCRIBED

nClouds
nClouds is a cloud-native services company that helps organizations maximize site uptime, performance, stability, and support, bringing out the best of their people and technology using AWS