Skip to content

Instantly share code, notes, and snippets.

@dale-c-anderson
Last active January 18, 2023 20:00
Show Gist options
  • Save dale-c-anderson/125a564b192470e60bb578fd6d877e1d to your computer and use it in GitHub Desktop.
Save dale-c-anderson/125a564b192470e60bb578fd6d877e1d to your computer and use it in GitHub Desktop.
Replace all instances of XXXXXXXXXXXX with your own aws account id, then attach this policy to groups where you want MFA enforced
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAllUsersToListAccounts",
"Effect": "Allow",
"Action": [
"iam:ListAccountAliases",
"iam:ListUsers",
"iam:GetAccountSummary"
],
"Resource": "*"
},
{
"Sid": "AllowIndividualUserToSeeAndManageOnlyTheirOwnAccountInformation",
"Effect": "Allow",
"Action": [
"iam:ChangePassword",
"iam:CreateAccessKey",
"iam:CreateLoginProfile",
"iam:DeleteAccessKey",
"iam:DeleteLoginProfile",
"iam:GetAccountPasswordPolicy",
"iam:GetLoginProfile",
"iam:ListAccessKeys",
"iam:UpdateAccessKey",
"iam:UpdateLoginProfile",
"iam:ListSigningCertificates",
"iam:DeleteSigningCertificate",
"iam:UpdateSigningCertificate",
"iam:UploadSigningCertificate",
"iam:ListSSHPublicKeys",
"iam:GetSSHPublicKey",
"iam:DeleteSSHPublicKey",
"iam:UpdateSSHPublicKey",
"iam:UploadSSHPublicKey",
"iam:ListUserPolicies",
"iam:GetUser",
"iam:ListGroupsForUser",
"iam:ListUserTags",
"iam:ListServiceSpecificCredentials"
],
"Resource": "arn:aws:iam::XXXXXXXXXXXX:user/${aws:username}"
},
{
"Sid": "AllowIndividualUserToListOnlyTheirOwnMFA",
"Effect": "Allow",
"Action": [
"iam:ListVirtualMFADevices",
"iam:ListMFADevices"
],
"Resource": [
"arn:aws:iam::XXXXXXXXXXXX:mfa/*",
"arn:aws:iam::XXXXXXXXXXXX:user/${aws:username}"
]
},
{
"Sid": "AllowIndividualUserToManageTheirOwnMFA",
"Effect": "Allow",
"Action": [
"iam:CreateVirtualMFADevice",
"iam:DeleteVirtualMFADevice",
"iam:EnableMFADevice",
"iam:ResyncMFADevice"
],
"Resource": [
"arn:aws:iam::XXXXXXXXXXXX:mfa/${aws:username}*",
"arn:aws:iam::XXXXXXXXXXXX:user/${aws:username}*"
]
},
{
"Sid": "AllowIndividualUserToDeactivateOnlyTheirOwnMFAOnlyWhenUsingMFA",
"Effect": "Allow",
"Action": [
"iam:DeactivateMFADevice"
],
"Resource": [
"arn:aws:iam::XXXXXXXXXXXX:mfa/${aws:username}*",
"arn:aws:iam::XXXXXXXXXXXX:user/${aws:username}*"
],
"Condition": {
"Bool": {
"aws:MultiFactorAuthPresent": "true"
}
}
},
{
"Sid": "BlockAnyAccessOtherThanAboveUnlessSignedInWithMFA",
"Effect": "Deny",
"NotAction": "iam:*",
"Resource": "*",
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "false"
}
}
}
]
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment