dale-c-anderson · January 18, 2023 20:00
diff --git a/AwsEnforceMfaPolicy.json b/AwsEnforceMfaPolicy.json
 {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowAllUsersToListAccounts",
            "Effect": "Allow",
            "Action": [
                "iam:ListAccountAliases",
                "iam:ListUsers",
                "iam:GetAccountSummary"
            ],
            "Resource": "*"
        },
        {
            "Sid": "AllowIndividualUserToSeeAndManageOnlyTheirOwnAccountInformation",
            "Effect": "Allow",
            "Action": [
                "iam:ChangePassword",
                "iam:CreateAccessKey",
                "iam:CreateLoginProfile",
                "iam:DeleteAccessKey",
                "iam:DeleteLoginProfile",
                "iam:GetAccountPasswordPolicy",
                "iam:GetLoginProfile",
                "iam:ListAccessKeys",
                "iam:UpdateAccessKey",
                "iam:UpdateLoginProfile",
                "iam:ListSigningCertificates",
                "iam:DeleteSigningCertificate",
                "iam:UpdateSigningCertificate",
                "iam:UploadSigningCertificate",
                "iam:ListSSHPublicKeys",
                "iam:GetSSHPublicKey",
                "iam:DeleteSSHPublicKey",
                "iam:UpdateSSHPublicKey",
                "iam:UploadSSHPublicKey",
                "iam:ListUserPolicies",
                "iam:GetUser",
                "iam:ListGroupsForUser",
                "iam:ListUserTags",
                "iam:ListServiceSpecificCredentials"
            ],
            "Resource": "arn:aws:iam::XXXXXXXXXXXX:user/${aws:username}"
        },
        {
            "Sid": "AllowIndividualUserToListOnlyTheirOwnMFA",
            "Effect": "Allow",
            "Action": [
                "iam:ListVirtualMFADevices",
                "iam:ListMFADevices"
            ],
            "Resource": [
                "arn:aws:iam::XXXXXXXXXXXX:mfa/*",
                "arn:aws:iam::XXXXXXXXXXXX:user/${aws:username}"
            ]
        },
        {
            "Sid": "AllowIndividualUserToManageTheirOwnMFA",
            "Effect": "Allow",
            "Action": [
                "iam:CreateVirtualMFADevice",
                "iam:DeleteVirtualMFADevice",
                "iam:EnableMFADevice",
                "iam:ResyncMFADevice"
            ],
            "Resource": [
                "arn:aws:iam::XXXXXXXXXXXX:mfa/${aws:username}*",
                "arn:aws:iam::XXXXXXXXXXXX:user/${aws:username}*"
            ]
        },
        {
            "Sid": "AllowIndividualUserToDeactivateOnlyTheirOwnMFAOnlyWhenUsingMFA",
            "Effect": "Allow",
            "Action": [
                "iam:DeactivateMFADevice"
            ],
            "Resource": [
                "arn:aws:iam::XXXXXXXXXXXX:mfa/${aws:username}*",
                "arn:aws:iam::XXXXXXXXXXXX:user/${aws:username}*"
            ],
            "Condition": {
                "Bool": {
                    "aws:MultiFactorAuthPresent": "true"
                }
            }
        },
        {
            "Sid": "BlockAnyAccessOtherThanAboveUnlessSignedInWithMFA",
            "Effect": "Deny",
            "NotAction": "iam:*",
            "Resource": "*",
            "Condition": {
                "BoolIfExists": {
                    "aws:MultiFactorAuthPresent": "false"
                }
            }
        }
    ]
 }
	{
	"Version": "2012-10-17",
	"Statement": [
	{
	"Sid": "AllowAllUsersToListAccounts",
	"Effect": "Allow",
	"Action": [
	"iam:ListAccountAliases",
	"iam:ListUsers",
	"iam:GetAccountSummary"
	],
	"Resource": "*"
	},
	{
	"Sid": "AllowIndividualUserToSeeAndManageOnlyTheirOwnAccountInformation",
	"Effect": "Allow",
	"Action": [
	"iam:ChangePassword",
	"iam:CreateAccessKey",
	"iam:CreateLoginProfile",
	"iam:DeleteAccessKey",
	"iam:DeleteLoginProfile",
	"iam:GetAccountPasswordPolicy",
	"iam:GetLoginProfile",
	"iam:ListAccessKeys",
	"iam:UpdateAccessKey",
	"iam:UpdateLoginProfile",
	"iam:ListSigningCertificates",
	"iam:DeleteSigningCertificate",
	"iam:UpdateSigningCertificate",
	"iam:UploadSigningCertificate",
	"iam:ListSSHPublicKeys",
	"iam:GetSSHPublicKey",
	"iam:DeleteSSHPublicKey",
	"iam:UpdateSSHPublicKey",
	"iam:UploadSSHPublicKey",
	"iam:ListUserPolicies",
	"iam:GetUser",
	"iam:ListGroupsForUser",
	"iam:ListUserTags",
	"iam:ListServiceSpecificCredentials"
	],
	"Resource": "arn:aws:iam::XXXXXXXXXXXX:user/${aws:username}"
	},
	{
	"Sid": "AllowIndividualUserToListOnlyTheirOwnMFA",
	"Effect": "Allow",
	"Action": [
	"iam:ListVirtualMFADevices",
	"iam:ListMFADevices"
	],
	"Resource": [
	"arn:aws:iam::XXXXXXXXXXXX:mfa/*",
	"arn:aws:iam::XXXXXXXXXXXX:user/${aws:username}"
	]
	},
	{
	"Sid": "AllowIndividualUserToManageTheirOwnMFA",
	"Effect": "Allow",
	"Action": [
	"iam:CreateVirtualMFADevice",
	"iam:DeleteVirtualMFADevice",
	"iam:EnableMFADevice",
	"iam:ResyncMFADevice"
	],
	"Resource": [
	"arn:aws:iam::XXXXXXXXXXXX:mfa/${aws:username}*",
	"arn:aws:iam::XXXXXXXXXXXX:user/${aws:username}*"
	]
	},
	{
	"Sid": "AllowIndividualUserToDeactivateOnlyTheirOwnMFAOnlyWhenUsingMFA",
	"Effect": "Allow",
	"Action": [
	"iam:DeactivateMFADevice"
	],
	"Resource": [
	"arn:aws:iam::XXXXXXXXXXXX:mfa/${aws:username}*",
	"arn:aws:iam::XXXXXXXXXXXX:user/${aws:username}*"
	],
	"Condition": {
	"Bool": {
	"aws:MultiFactorAuthPresent": "true"
	}
	}
	},
	{
	"Sid": "BlockAnyAccessOtherThanAboveUnlessSignedInWithMFA",
	"Effect": "Deny",
	"NotAction": "iam:*",
	"Resource": "*",
	"Condition": {
	"BoolIfExists": {
	"aws:MultiFactorAuthPresent": "false"
	}
	}
	}
	]
	}