Home / server / Questions / 602586
In Process
Ali
Asked: 2014-06-08 08:04:26 +0800 CST

How to allow IAM users to setup their own virtual MFA devices

  • 772

I want to let my IAM users to setup their own MFA devices, through the console, is there a single policy that I can use to achieve this?

So far I can achieve this through a number of IAM policies, letting them list all mfa devices and list users (so that they can find themselves in the IAM console and ...

I am basically looking for a more straight forward way of controlling this.

I should add that my IAM users are trusted users, so I don't have to (although it will be quite nice) lock them down to the minimum possible, so if they can see a list of all users that is ok.

amazon-web-services

2 Answers

  1. AWS docs provide an example of how to do this under "Allow Users to Manage Only Their Own Virtual MFA Devices":

    http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_delegate-permissions_examples.html#creds-policies-mfa-console

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowUsersToCreateEnableResyncTheirOwnVirtualMFADevice",
      "Effect": "Allow",
      "Action": [
        "iam:CreateVirtualMFADevice",
        "iam:EnableMFADevice",
        "iam:ResyncMFADevice"
      ],
      "Resource": [
        "arn:aws:iam::account-id-without-hyphens:mfa/${aws:username}",
        "arn:aws:iam::account-id-without-hyphens:user/${aws:username}"
      ]
    },
    {
      "Sid": "AllowUsersToDeactivateDeleteTheirOwnVirtualMFADevice",
      "Effect": "Allow",
      "Action": [
        "iam:DeactivateMFADevice",
        "iam:DeleteVirtualMFADevice"
      ],
      "Resource": [
        "arn:aws:iam::account-id-without-hyphens:mfa/${aws:username}",
        "arn:aws:iam::account-id-without-hyphens:user/${aws:username}"
      ],
      "Condition": {
        "Bool": {
          "aws:MultiFactorAuthPresent": true
        }
      }
    },
    {
      "Sid": "AllowUsersToListMFADevicesandUsersForConsole",
      "Effect": "Allow",
      "Action": [
        "iam:ListMFADevices",
        "iam:ListVirtualMFADevices",
        "iam:ListUsers"
      ],
      "Resource": "*"
    }
  ]
}

    To find your AWS account ID number to plugin in in the AWS Management Console, click on Support in the navigation bar in the upper-right, and then click Support Center. Your currently signed in account ID appears below the Support menu.

    See also https://blogs.aws.amazon.com/security/post/Tx2SJJYE082KBUK/How-to-Delegate-Management-of-Multi-Factor-Authentication-to-AWS-IAM-Users

    • 3

  2. [...] is there a single policy that I can use to achieve this?...

    So far I can achieve this through a number of IAM policies, [...]

    I am basically looking for a more straight forward way of controlling this.

    I'm afraid your current approach is the only feasible one at this point, see my related answer to the more generic question How can I give an AWS IAM user permissions to manage his own security credentials?, which refers to another one concerning IAM access to EC2 REST API? in turn, where I explore 'IAM Credentials Self Management' in general.

    • 1