Created
December 16, 2018 01:42
-
-
Save tb3088/83b3f8761456ace5ee3761cd613acd6b to your computer and use it in GitHub Desktop.
IAM user self-management
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ | |
"Version": "2012-10-17", | |
"Statement": [ | |
{ | |
"Sid": "AllowAllUsersToListAccounts", | |
"Effect": "Allow", | |
"Action": [ | |
"iam:ListAccountAliases", | |
"iam:ListUsers", | |
"iam:ListGroups", | |
"iam:GetAccountPasswordPolicy", | |
"iam:GetAccountSummary" | |
], | |
"Resource": "*" | |
}, | |
{ | |
"Sid": "AllowIndividualUserToSeeAndManageOnlyTheirOwnAccountInformation", | |
"Effect": "Allow", | |
"Action": [ | |
"iam:ChangePassword", | |
"iam:CreateAccessKey", | |
"iam:CreateLoginProfile", | |
"iam:DeleteAccessKey", | |
"iam:DeleteLoginProfile", | |
"iam:GetLoginProfile", | |
"iam:ListAccessKeys", | |
"iam:UpdateAccessKey", | |
"iam:UpdateLoginProfile", | |
"iam:ListSigningCertificates", | |
"iam:DeleteSigningCertificate", | |
"iam:UpdateSigningCertificate", | |
"iam:UploadSigningCertificate", | |
"iam:ListSSHPublicKeys", | |
"iam:GetSSHPublicKey", | |
"iam:DeleteSSHPublicKey", | |
"iam:UpdateSSHPublicKey", | |
"iam:UploadSSHPublicKey" | |
], | |
"Resource": "arn:aws:iam::*:user/${aws:username}" | |
}, | |
{ | |
"Sid": "AllowIndividualUserToViewAndManageTheirOwnMFA", | |
"Effect": "Allow", | |
"Action": [ | |
"iam:CreateVirtualMFADevice", | |
"iam:DeleteVirtualMFADevice", | |
"iam:DeactivateMFADevice", | |
"iam:EnableMFADevice", | |
"iam:ListMFADevices", | |
"iam:ResyncMFADevice" | |
], | |
"Resource": [ | |
"arn:aws:iam::*:mfa/${aws:username}", | |
"arn:aws:iam::*:user/${aws:username}" | |
] | |
}, | |
{ | |
"Sid": "BlockMostAccessUnlessSignedInWithMFA", | |
"Effect": "Deny", | |
"NotAction": [ | |
"iam:GetAccountSummary", | |
"iam:ListAccountAliases", | |
"iam:ListUsers", | |
"iam:ListServiceSpecificCredentials", | |
"iam:ListMFADevices", | |
"iam:EnableMFADevice", | |
"iam:ResyncMFADevice", | |
"iam:ListVirtualMFADevices", | |
"iam:CreateVirtualMFADevice", | |
"iam:DeleteVirtualMFADevice", | |
"sts:GetSessionToken" | |
], | |
"Resource": "*", | |
"Condition": { | |
"BoolIfExists": { | |
"aws:MultiFactorAuthPresent": "false" | |
} | |
} | |
} | |
] | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment