Skip to content

Instantly share code, notes, and snippets.

@jflemer-ndp

jflemer-ndp/IAMUserSelfPasswordAndMFA.json

Created June 24, 2019 19:47
Show Gist options
  • Save jflemer-ndp/5347046d05e22003a914143d6d5f1dec to your computer and use it in GitHub Desktop.
Save jflemer-ndp/5347046d05e22003a914143d6d5f1dec to your computer and use it in GitHub Desktop.
Download ZIP
Amazon AWS GovCloud MFA/2FA enforcement IAM Policy
Raw
IAMUserSelfPasswordAndMFA.json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowViewAccountInfo",
"Effect": "Allow",
"Action": [
"iam:GetAccountPasswordPolicy",
"iam:GetAccountSummary",
"iam:ListVirtualMFADevices"
],
"Resource": "*"
},
{
"Sid": "AllowManageOwnPasswords",
"Effect": "Allow",
"Action": [
"iam:ChangePassword",
"iam:GetUser"
],
"Resource": "arn:aws-us-gov:iam::*:user/${aws:username}"
},
{
"Sid": "AllowCreateOwnVirtualMFADevice",
"Effect": "Allow",
"Action": [
"iam:CreateVirtualMFADevice"
],
"Resource": "arn:aws-us-gov:iam::*:mfa/${aws:username}"
},
{
"Sid": "AllowEnableOwnUserMFA",
"Effect": "Allow",
"Action": [
"iam:EnableMFADevice",
"iam:ListMFADevices",
"iam:ResyncMFADevice"
],
"Resource": "arn:aws-us-gov:iam::*:user/${aws:username}"
},
{
"Sid": "DenyAllExceptListedIfNoMFA",
"Effect": "Deny",
"NotAction": [
"iam:ChangePassword",
"iam:CreateVirtualMFADevice",
"iam:EnableMFADevice",
"iam:GetAccountPasswordPolicy",
"iam:GetAccountSummary",
"iam:GetUser",
"iam:ListMFADevices",
"iam:ListVirtualMFADevices",
"iam:ResyncMFADevice",
"sts:GetSessionToken"
],
"Resource": "*",
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "false"
}
}
}
]
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment