AWS !! IAM || Allow A User(PowerUserAccess) to Add MFA
Let’s Solve this Above title using the STAR method.
“STAR” is an acronym that stands for situation, task, action(s), result(s).
Situation
For AWS security, While I am grouping all my team members in a User Groups(Infra-Team) of AWS IAM having PowerUserAccess permission to the group. I have dealt with one more security concern about the users in this group, these users can’t add MFA on their own.
For that, I (Having Admin access) have to jump on a call and let them add MFA set-up(Using Authy App, where a scan of QR requires).
Task
To avoid this, I have to write my own IAM in-line policy that allows my users in the group can also add MFA on their own and can’t do any other IAM-related actions.
Action(s)
Below is the IAM in-line policy that does our work, name it as IAM-only-MFA-Adding
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"iam:CreateVirtualMFADevice",
"iam:EnableMFADevice",
"iam:ResyncMFADevice",
"iam:DeleteVirtualMFADevice"
],
"Resource": [
"arn:aws:iam::*:mfa/${aws:username}",
"arn:aws:iam::*:user/${aws:username}"
],
"Effect": "Allow"
},
{
"Action": [
"iam:DeactivateMFADevice"
],
"Resource": [
"arn:aws:iam::*:mfa/${aws:username}",
"arn:aws:iam::*:user/${aws:username}"
],
"Effect": "Allow",
"Condition": {
"Bool": {
"aws:MultiFactorAuthPresent": "true"
}
}
},
{
"Action": [
"iam:ListMFADevices",
"iam:ListVirtualMFADevices"
],
"Resource": "*",
"Effect": "Allow"
}
]
}I added this policy to the User Group Permission list,
Result(s)
With this update in permission at my User Group, My new users can add their own MFA setup with their login.
