ユーザに自分自身のパスワードやアクセスキー、VirtualMFAなどのクレデンシャルの管理権限を与えるポリシー。AWSのサンプルポリシーを元に作成。サンプルでは、ユーザアカウントのところを「ACCOUNT-ID-WITHOUT-HYPHENS」としているところを「*」に変更。これで問題ないが、気になる場合は自分のアカウント番号に書き換え。AWSが提供している「Power User」には、IAM関連の権限が含まれていないため、一緒に使うと自分のアカウントのみIAMが操作できる「Power User」ができる。 http://docs.aws.amazon.com/IAM/latest/UserGuide/Credentials-Permissions-examples.html

allow-manage-their-own-credentials.json

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowUsersAllActionsForCredentials",
      "Effect": "Allow",
      "Action": [
        "iam:*LoginProfile",
        "iam:*AccessKey*",
        "iam:*SigningCertificate*"
      ],
      "Resource": ["arn:aws:iam::*:user/${aws:username}"]
    },
    {
      "Sid": "AllowUsersToSeeStatsOnIAMConsoleDashboard",
      "Effect": "Allow",
      "Action": [
        "iam:GetAccount*",
        "iam:ListAccount*"
      ],
      "Resource": ["*"]
    },
    {
      "Sid": "AllowUsersToListUsersInConsole",
      "Effect": "Allow",
      "Action": ["iam:ListUsers"],
      "Resource": ["arn:aws:iam::*:user/*"]
    }
  ]
}

allow-manage-their-own-virtualmfa.json

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowUsersToCreateDeleteTheirOwnVirtualMFADevices",
      "Effect": "Allow",
      "Action": ["iam:*VirtualMFADevice"],
      "Resource": ["arn:aws:iam::*:mfa/${aws:username}"]
    },
    {
      "Sid": "AllowUsersToEnableSyncDisableTheirOwnMFADevices",
      "Effect": "Allow",
      "Action": [
        "iam:DeactivateMFADevice",
        "iam:EnableMFADevice",
        "iam:ListMFADevices",
        "iam:ResyncMFADevice"
      ],
      "Resource": ["arn:aws:iam::*:user/${aws:username}"]
    },
    {
      "Sid": "AllowUsersToListVirtualMFADevices",
      "Effect": "Allow",
      "Action": ["iam:ListVirtualMFADevices"],
      "Resource": ["arn:aws:iam::*:mfa/*"]
    },
    {
      "Sid": "AllowUsersToListUsersInConsole",
      "Effect": "Allow",
      "Action": ["iam:ListUsers"],
      "Resource": ["arn:aws:iam::*:user/*"]
    }
  ]
}

create-iam-self-management-group.sh

#!/bin/bash
# 新たにグループを作成して、それにここに掲載した権限を付与する
# グループがすでにある場合は、ポリシー追加のみを実行
set -ue
script_dir=$(cd $(dirname $0);pwd)

cd $script_dir

group_name=${1:-"allow-iam-self-management"}
aws iam create-group --group-name $group_name || echo "Group '$group_name' already exists."

policy_documents="
    allow-manage-their-own-credentials.json
    allow-manage-their-own-virtualmfa.json
    "
for policy_document in $policy_documents
do
    policy_name=`basename $policy_document .json`
    aws iam put-group-policy \
        --group-name $group_name \
        --policy-name $policy_name \
        --policy-document file://$policy_document
done