Last active
August 4, 2022 10:41
-
-
Save koseki/d5d0ce8af3a38bdefc0e92af02bc933b to your computer and use it in GitHub Desktop.
MFA required IAM Policies
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "Version": "2012-10-17", | |
| "Statement": [ | |
| { | |
| "Sid": "AllowViewAccountInfo", | |
| "Effect": "Allow", | |
| "Action": [ | |
| "iam:GetAccountPasswordPolicy", | |
| "iam:ListVirtualMFADevices" | |
| ], | |
| "Resource": "*" | |
| }, | |
| { | |
| "Sid": "AllowManageOwnPasswords", | |
| "Effect": "Allow", | |
| "Action": [ | |
| "iam:ChangePassword", | |
| "iam:GetUser" | |
| ], | |
| "Resource": "arn:aws:iam::*:user/${aws:username}" | |
| }, | |
| { | |
| "Sid": "AllowManageOwnAccessKeys", | |
| "Effect": "Allow", | |
| "Action": [ | |
| "iam:CreateAccessKey", | |
| "iam:DeleteAccessKey", | |
| "iam:ListAccessKeys", | |
| "iam:UpdateAccessKey" | |
| ], | |
| "Resource": "arn:aws:iam::*:user/${aws:username}" | |
| }, | |
| { | |
| "Sid": "AllowManageOwnSigningCertificates", | |
| "Effect": "Allow", | |
| "Action": [ | |
| "iam:DeleteSigningCertificate", | |
| "iam:ListSigningCertificates", | |
| "iam:UpdateSigningCertificate", | |
| "iam:UploadSigningCertificate" | |
| ], | |
| "Resource": "arn:aws:iam::*:user/${aws:username}" | |
| }, | |
| { | |
| "Sid": "AllowManageOwnSSHPublicKeys", | |
| "Effect": "Allow", | |
| "Action": [ | |
| "iam:DeleteSSHPublicKey", | |
| "iam:GetSSHPublicKey", | |
| "iam:ListSSHPublicKeys", | |
| "iam:UpdateSSHPublicKey", | |
| "iam:UploadSSHPublicKey" | |
| ], | |
| "Resource": "arn:aws:iam::*:user/${aws:username}" | |
| }, | |
| { | |
| "Sid": "AllowManageOwnGitCredentials", | |
| "Effect": "Allow", | |
| "Action": [ | |
| "iam:CreateServiceSpecificCredential", | |
| "iam:DeleteServiceSpecificCredential", | |
| "iam:ListServiceSpecificCredentials", | |
| "iam:ResetServiceSpecificCredential", | |
| "iam:UpdateServiceSpecificCredential" | |
| ], | |
| "Resource": "arn:aws:iam::*:user/${aws:username}" | |
| }, | |
| { | |
| "Sid": "AllowManageOwnVirtualMFADevice", | |
| "Effect": "Allow", | |
| "Action": [ | |
| "iam:CreateVirtualMFADevice", | |
| "iam:DeleteVirtualMFADevice" | |
| ], | |
| "Resource": "arn:aws:iam::*:mfa/${aws:username}" | |
| }, | |
| { | |
| "Sid": "AllowManageOwnUserMFA", | |
| "Effect": "Allow", | |
| "Action": [ | |
| "iam:DeactivateMFADevice", | |
| "iam:EnableMFADevice", | |
| "iam:ListMFADevices", | |
| "iam:ResyncMFADevice" | |
| ], | |
| "Resource": "arn:aws:iam::*:user/${aws:username}" | |
| }, | |
| { | |
| "Sid": "DenyAllExceptListedIfNoMFA", | |
| "Effect": "Deny", | |
| "NotAction": [ | |
| "iam:CreateVirtualMFADevice", | |
| "iam:EnableMFADevice", | |
| "iam:GetUser", | |
| "iam:ListMFADevices", | |
| "iam:ListVirtualMFADevices", | |
| "iam:ResyncMFADevice", | |
| "sts:GetSessionToken" | |
| ], | |
| "Resource": "*", | |
| "Condition": { | |
| "BoolIfExists": { | |
| "aws:MultiFactorAuthPresent": "false" | |
| } | |
| } | |
| } | |
| ] | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "Version": "2012-10-17", | |
| "Statement": [ | |
| { | |
| "Sid": "AllowViewAccountInfo", | |
| "Effect": "Allow", | |
| "Action": [ | |
| "iam:GetAccountPasswordPolicy", | |
| "iam:ListVirtualMFADevices" | |
| ], | |
| "Resource": "*" | |
| }, | |
| { | |
| "Sid": "AllowManageOwnPasswords", | |
| "Effect": "Allow", | |
| "Action": [ | |
| "iam:ChangePassword", | |
| "iam:GetUser" | |
| ], | |
| "Resource": "arn:aws:iam::*:user/${aws:username}" | |
| }, | |
| { | |
| "Sid": "AllowManageOwnAccessKeys", | |
| "Effect": "Allow", | |
| "Action": [ | |
| "iam:CreateAccessKey", | |
| "iam:DeleteAccessKey", | |
| "iam:ListAccessKeys", | |
| "iam:UpdateAccessKey" | |
| ], | |
| "Resource": "arn:aws:iam::*:user/${aws:username}" | |
| }, | |
| { | |
| "Sid": "AllowManageOwnSigningCertificates", | |
| "Effect": "Allow", | |
| "Action": [ | |
| "iam:DeleteSigningCertificate", | |
| "iam:ListSigningCertificates", | |
| "iam:UpdateSigningCertificate", | |
| "iam:UploadSigningCertificate" | |
| ], | |
| "Resource": "arn:aws:iam::*:user/${aws:username}" | |
| }, | |
| { | |
| "Sid": "AllowManageOwnSSHPublicKeys", | |
| "Effect": "Allow", | |
| "Action": [ | |
| "iam:DeleteSSHPublicKey", | |
| "iam:GetSSHPublicKey", | |
| "iam:ListSSHPublicKeys", | |
| "iam:UpdateSSHPublicKey", | |
| "iam:UploadSSHPublicKey" | |
| ], | |
| "Resource": "arn:aws:iam::*:user/${aws:username}" | |
| }, | |
| { | |
| "Sid": "AllowManageOwnGitCredentials", | |
| "Effect": "Allow", | |
| "Action": [ | |
| "iam:CreateServiceSpecificCredential", | |
| "iam:DeleteServiceSpecificCredential", | |
| "iam:ListServiceSpecificCredentials", | |
| "iam:ResetServiceSpecificCredential", | |
| "iam:UpdateServiceSpecificCredential" | |
| ], | |
| "Resource": "arn:aws:iam::*:user/${aws:username}" | |
| }, | |
| { | |
| "Sid": "AllowManageOwnVirtualMFADevice", | |
| "Effect": "Allow", | |
| "Action": [ | |
| "iam:CreateVirtualMFADevice", | |
| "iam:DeleteVirtualMFADevice" | |
| ], | |
| "Resource": "arn:aws:iam::*:mfa/${aws:username}" | |
| }, | |
| { | |
| "Sid": "AllowManageOwnUserMFA", | |
| "Effect": "Allow", | |
| "Action": [ | |
| "iam:DeactivateMFADevice", | |
| "iam:EnableMFADevice", | |
| "iam:ListMFADevices", | |
| "iam:ResyncMFADevice" | |
| ], | |
| "Resource": "arn:aws:iam::*:user/${aws:username}" | |
| }, | |
| { | |
| "Sid": "DenyAllExceptListedIfNoMFA", | |
| "Effect": "Deny", | |
| "NotAction": [ | |
| "iam:CreateVirtualMFADevice", | |
| "iam:EnableMFADevice", | |
| "iam:GetUser", | |
| "iam:ListMFADevices", | |
| "iam:ListVirtualMFADevices", | |
| "iam:ResyncMFADevice", | |
| "sts:GetSessionToken", | |
| "iam:ChangePassword", | |
| "iam:GetAccountPasswordPolicy" | |
| ], | |
| "Resource": "*", | |
| "Condition": { | |
| "BoolIfExists": { | |
| "aws:MultiFactorAuthPresent": "false" | |
| } | |
| } | |
| } | |
| ] | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #! /bin/bash | |
| if [ -z "$1" ]; then | |
| echo "Usage: setup.sh profile" | |
| exit 1 | |
| fi | |
| set -e | |
| cd $(dirname $0) | |
| PROFILE=$1 | |
| AWS="aws --profile $PROFILE" | |
| DATE=$(date +"%Y-%m-%d") | |
| DESC1="$DATE - Copied and edited the official sample JSON to enable password reset - AWS Allows MFA-Authenticated IAM Users to Manage Their Own Credentials on the My Security Credentials Page" | |
| DESC2="$DATE - Copied from the official document - AWS Allows MFA-Authenticated IAM Users to Manage Their Own Credentials on the My Security Credentials Page" | |
| POLICY_NAME1=MFARequiredOnlyForTheFirstLogin | |
| POLICY_NAME2=MFARequiredForCurrentUsers | |
| GROUP_NAME1=NotYetLoginUsers | |
| echo "--- Create Policies" | |
| set -x | |
| $AWS iam create-policy --policy-name "$POLICY_NAME1" --policy-document file://./MFARequiredOnlyForTheFirstLogin.json --description "$DESC1" | |
| $AWS iam create-policy --policy-name "$POLICY_NAME2" --policy-document file://./MFARequiredForCurrentUsers.json --description "$DESC2" | |
| set +x | |
| echo "--- Current Policies" | |
| set -x | |
| $AWS iam list-policies --scope Local | |
| set +x | |
| echo "--- Create Group: $GROUP_NAME1" | |
| set -x | |
| POLICY_ARN1=$($AWS iam list-policies --query "Policies[?PolicyName==\`$POLICY_NAME1\`].Arn" --scope Local --output text) | |
| $AWS iam create-group --group-name "$GROUP_NAME1" | |
| $AWS iam attach-group-policy --group-name "$GROUP_NAME1" --policy-arn "$POLICY_ARN1" | |
| set +x |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment