PatrickJD/aws-mfa-enforce.json

## aws-mfa-enforce.json
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowListActions",
            "Effect": "Allow",
            "Action": [
                "iam:ListVirtualMFADevices"
            ],
            "Resource": "*"
        },
        {
            "Sid": "AllowIndividualUserToListOnlyTheirOwnMFA",
            "Effect": "Allow",
            "Action": [
                "iam:ListMFADevices"
            ],
            "Resource": [
                "arn:aws:iam::*:mfa/*",
                "arn:aws:iam::*:user/${aws:username}"
            ]
        },
        {
            "Sid": "AllowIndividualUserToManageTheirOwnMFA",
            "Effect": "Allow",
            "Action": [
                "iam:CreateVirtualMFADevice",
                "iam:DeleteVirtualMFADevice",
                "iam:EnableMFADevice",
                "iam:ResyncMFADevice"
            ],
            "Resource": [
                "arn:aws:iam::*:mfa/${aws:username}",
                "arn:aws:iam::*:user/${aws:username}"
            ]
        },
        {
            "Sid": "AllowManageOwnAccessKeys",
            "Effect": "Allow",
            "Action": [
                "iam:CreateAccessKey",
                "iam:DeleteAccessKey",
                "iam:ListAccessKeys",
                "iam:UpdateAccessKey"
            ],
            "Resource": "arn:aws:iam::*:user/${aws:username}"
        },
        {
            "Sid": "AllowManageOwnSSHPublicKeys",
            "Effect": "Allow",
            "Action": [
                "iam:DeleteSSHPublicKey",
                "iam:GetSSHPublicKey",
                "iam:ListSSHPublicKeys",
                "iam:UpdateSSHPublicKey",
                "iam:UploadSSHPublicKey"
            ],
            "Resource": "arn:aws:iam::*:user/${aws:username}"
        },
        {
            "Sid": "AllowIndividualUserToDeactivateOnlyTheirOwnMFAOnlyWhenUsingMFA",
            "Effect": "Allow",
            "Action": [
                "iam:DeactivateMFADevice"
            ],
            "Resource": [
                "arn:aws:iam::*:mfa/${aws:username}",
                "arn:aws:iam::*:user/${aws:username}"
            ],
            "Condition": {
                "Bool": {
                    "aws:MultiFactorAuthPresent": "true"
                }
            }
        },
        {
            "Sid": "BlockMostAccessUnlessSignedInWithMFA",
            "Effect": "Deny",
            "NotAction": [
                "iam:CreateVirtualMFADevice",
                "iam:EnableMFADevice",
                "iam:ListMFADevices",
                "iam:ListUsers",
                "iam:ListVirtualMFADevices",
                "iam:ResyncMFADevice"
            ],
            "Resource": "*",
            "Condition": {
                "BoolIfExists": {
                    "aws:MultiFactorAuthPresent": "false"
                }
            }
        }
    ]
}
	{
	"Version": "2012-10-17",
	"Statement": [
	{
	"Sid": "AllowListActions",
	"Effect": "Allow",
	"Action": [
	"iam:ListVirtualMFADevices"
	],
	"Resource": "*"
	},
	{
	"Sid": "AllowIndividualUserToListOnlyTheirOwnMFA",
	"Effect": "Allow",
	"Action": [
	"iam:ListMFADevices"
	],
	"Resource": [
	"arn:aws:iam:::mfa/",
	"arn:aws:iam::*:user/${aws:username}"
	]
	},
	{
	"Sid": "AllowIndividualUserToManageTheirOwnMFA",
	"Effect": "Allow",
	"Action": [
	"iam:CreateVirtualMFADevice",
	"iam:DeleteVirtualMFADevice",
	"iam:EnableMFADevice",
	"iam:ResyncMFADevice"
	],
	"Resource": [
	"arn:aws:iam::*:mfa/${aws:username}",
	"arn:aws:iam::*:user/${aws:username}"
	]
	},
	{
	"Sid": "AllowManageOwnAccessKeys",
	"Effect": "Allow",
	"Action": [
	"iam:CreateAccessKey",
	"iam:DeleteAccessKey",
	"iam:ListAccessKeys",
	"iam:UpdateAccessKey"
	],
	"Resource": "arn:aws:iam::*:user/${aws:username}"
	},
	{
	"Sid": "AllowManageOwnSSHPublicKeys",
	"Effect": "Allow",
	"Action": [
	"iam:DeleteSSHPublicKey",
	"iam:GetSSHPublicKey",
	"iam:ListSSHPublicKeys",
	"iam:UpdateSSHPublicKey",
	"iam:UploadSSHPublicKey"
	],
	"Resource": "arn:aws:iam::*:user/${aws:username}"
	},
	{
	"Sid": "AllowIndividualUserToDeactivateOnlyTheirOwnMFAOnlyWhenUsingMFA",
	"Effect": "Allow",
	"Action": [
	"iam:DeactivateMFADevice"
	],
	"Resource": [
	"arn:aws:iam::*:mfa/${aws:username}",
	"arn:aws:iam::*:user/${aws:username}"
	],
	"Condition": {
	"Bool": {
	"aws:MultiFactorAuthPresent": "true"
	}
	}
	},
	{
	"Sid": "BlockMostAccessUnlessSignedInWithMFA",
	"Effect": "Deny",
	"NotAction": [
	"iam:CreateVirtualMFADevice",
	"iam:EnableMFADevice",
	"iam:ListMFADevices",
	"iam:ListUsers",
	"iam:ListVirtualMFADevices",
	"iam:ResyncMFADevice"
	],
	"Resource": "*",
	"Condition": {
	"BoolIfExists": {
	"aws:MultiFactorAuthPresent": "false"
	}
	}
	}
	]
	}