Skip to content

Instantly share code, notes, and snippets.

@royharoush

royharoush/MFAPolicy

Created March 18, 2020 12:56
Show Gist options
  • Save royharoush/b7e21f810c724f3fd13b6d97031f8a32 to your computer and use it in GitHub Desktop.
Save royharoush/b7e21f810c724f3fd13b6d97031f8a32 to your computer and use it in GitHub Desktop.
Download ZIP

Revisions

  1. royharoush created this gist Mar 18, 2020.
    123 changes: 123 additions & 0 deletions MFAPolicy
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,123 @@
    {
    "Version": "2012-10-17",
    "Statement": [
    {
    "Sid": "AllowManageOwnVirtualMFADevice1",
    "Effect": "Allow",
    "Action": [
    "iam:CreateVirtualMFADevice",
    "iam:DeleteVirtualMFADevice"
    ],
    "Resource": "arn:aws:iam::*:mfa/${aws:username}"
    },
    {
    "Sid": "AllowViewAccountInfo",
    "Effect": "Allow",
    "Action": [
    "iam:GetAccountPasswordPolicy",
    "iam:GetAccountSummary",
    "iam:ListVirtualMFADevices",
    "iam:CreateVirtualMFADevice",
    "iam:EnableMFADevice"
    ],
    "Resource": "*"
    },
    {
    "Sid": "AllowManageOwnPasswords",
    "Effect": "Allow",
    "Action": [
    "iam:ChangePassword",
    "iam:GetUser"
    ],
    "Resource": "arn:aws:iam::*:user/${aws:username}"
    },
    {
    "Sid": "AllowManageOwnAccessKeys",
    "Effect": "Allow",
    "Action": [
    "iam:CreateAccessKey",
    "iam:DeleteAccessKey",
    "iam:ListAccessKeys",
    "iam:UpdateAccessKey"
    ],
    "Resource": "arn:aws:iam::*:user/${aws:username}"
    },
    {
    "Sid": "AllowManageOwnSigningCertificates",
    "Effect": "Allow",
    "Action": [
    "iam:DeleteSigningCertificate",
    "iam:ListSigningCertificates",
    "iam:UpdateSigningCertificate",
    "iam:UploadSigningCertificate"
    ],
    "Resource": "arn:aws:iam::*:user/${aws:username}"
    },
    {
    "Sid": "AllowManageOwnSSHPublicKeys",
    "Effect": "Allow",
    "Action": [
    "iam:DeleteSSHPublicKey",
    "iam:GetSSHPublicKey",
    "iam:ListSSHPublicKeys",
    "iam:UpdateSSHPublicKey",
    "iam:UploadSSHPublicKey"
    ],
    "Resource": "arn:aws:iam::*:user/${aws:username}"
    },
    {
    "Sid": "AllowManageOwnGitCredentials",
    "Effect": "Allow",
    "Action": [
    "iam:CreateServiceSpecificCredential",
    "iam:DeleteServiceSpecificCredential",
    "iam:ListServiceSpecificCredentials",
    "iam:ResetServiceSpecificCredential",
    "iam:UpdateServiceSpecificCredential"
    ],
    "Resource": "arn:aws:iam::*:user/${aws:username}"
    },
    {
    "Sid": "AllowManageOwnVirtualMFADevice",
    "Effect": "Allow",
    "Action": [
    "iam:CreateVirtualMFADevice",
    "iam:DeleteVirtualMFADevice"
    ],
    "Resource": "arn:aws:iam::*:mfa/${aws:username}"
    },
    {
    "Sid": "AllowManageOwnUserMFA",
    "Effect": "Allow",
    "Action": [
    "iam:DeactivateMFADevice",
    "iam:EnableMFADevice",
    "iam:ListMFADevices",
    "iam:ResyncMFADevice",
    "iam:CreateVirtualMFADevice",
    "iam:EnableMFADevice"
    ],
    "Resource": "arn:aws:iam::*:user/${aws:username}"
    },
    {
    "Sid": "DenyAllExceptListedIfNoMFA",
    "Effect": "Deny",
    "NotAction": [
    "iam:GetUser",
    "iam:ListMFADevices",
    "iam:ListVirtualMFADevices",
    "iam:ResyncMFADevice",
    "sts:GetSessionToken",
    "iam:CreateVirtualMFADevice",
    "iam:EnableMFADevice",
    "iam:DeleteVirtualMFADevice"
    ],
    "Resource": "*",
    "Condition": {
    "Bool": {
    "aws:MultiFactorAuthPresent": "false"
    }
    }
    }
    ]
    }