phaseOne · April 7, 2021 21:05
diff --git a/SelfManageCredentialsAndRequireMFA.json b/SelfManageCredentialsAndRequireMFA.json
 {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowViewAccountInfo",
            "Effect": "Allow",
            "Action": [
                "iam:GetAccountPasswordPolicy"
            ],
            "Resource": "*"
        },
        {
            "Sid": "AllowManageOwnPasswords",
            "Effect": "Allow",
            "Action": [
                "iam:ChangePassword",
                "iam:GetUser"
            ],
            "Resource": "arn:aws:iam::*:user/${aws:username}"
        },
        {
            "Sid": "AllowManageOwnAccessKeys",
            "Effect": "Allow",
            "Action": [
                "iam:CreateAccessKey",
                "iam:DeleteAccessKey",
                "iam:ListAccessKeys",
                "iam:UpdateAccessKey"
            ],
            "Resource": "arn:aws:iam::*:user/${aws:username}"
        },
        {
            "Sid": "AllowManageOwnSigningCertificates",
            "Effect": "Allow",
            "Action": [
                "iam:DeleteSigningCertificate",
                "iam:ListSigningCertificates",
                "iam:UpdateSigningCertificate",
                "iam:UploadSigningCertificate"
            ],
            "Resource": "arn:aws:iam::*:user/${aws:username}"
        },
        {
            "Sid": "AllowManageOwnSSHPublicKeys",
            "Effect": "Allow",
            "Action": [
                "iam:DeleteSSHPublicKey",
                "iam:GetSSHPublicKey",
                "iam:ListSSHPublicKeys",
                "iam:UpdateSSHPublicKey",
                "iam:UploadSSHPublicKey"
            ],
            "Resource": "arn:aws:iam::*:user/${aws:username}"
        },
        {
            "Sid": "AllowManageOwnGitCredentials",
            "Effect": "Allow",
            "Action": [
                "iam:CreateServiceSpecificCredential",
                "iam:DeleteServiceSpecificCredential",
                "iam:ListServiceSpecificCredentials",
                "iam:ResetServiceSpecificCredential",
                "iam:UpdateServiceSpecificCredential"
            ],
            "Resource": "arn:aws:iam::*:user/${aws:username}"
        },
        {
            "Sid": "AllowManageOwnVirtualMFADevice",
            "Effect": "Allow",
            "Action": [
                "iam:CreateVirtualMFADevice",
                "iam:DeleteVirtualMFADevice"
            ],
            "Resource": "arn:aws:iam::*:mfa/${aws:username}"
        },
        {
            "Sid": "AllowManageOwnUserMFA",
            "Effect": "Allow",
            "Action": [
                "iam:DeactivateMFADevice",
                "iam:EnableMFADevice",
                "iam:ListMFADevices",
                "iam:ResyncMFADevice"
            ],
            "Resource": "arn:aws:iam::*:user/${aws:username}"
        },
        {
            "Sid": "DenyAllExceptListedIfNoMFAAndNewUser",
            "Effect": "Deny",
            "NotAction": [
                "iam:CreateVirtualMFADevice",
                "iam:EnableMFADevice",
                "iam:GetUser",
                "iam:ListMFADevices",
                "iam:ListVirtualMFADevices",
                "iam:ResyncMFADevice",
                "sts:GetSessionToken",
                "iam:ChangePassword"
            ],
            "Resource": "*",
            "Condition": {
                "BoolIfExists": {
                    "aws:MultiFactorAuthPresent": "false"
                }
            }
        },
        {
            "Sid": "DenyAllExceptListedIfNoMFA",
            "Effect": "Deny",
            "NotAction": [
                "iam:CreateVirtualMFADevice",
                "iam:EnableMFADevice",
                "iam:GetUser",
                "iam:ListMFADevices",
                "iam:ListVirtualMFADevices",
                "iam:ResyncMFADevice",
                "sts:GetSessionToken"
            ],
            "Resource": "*",
            "Condition": {
                "BoolIfExists": {
                    "aws:MultiFactorAuthPresent": "false"
                },
                "StringNotEqualsIfExists": {
                    "iam:ResourceTag/NewUser": "true"
                }
            }
        }
    ]
 }
	{
	"Version": "2012-10-17",
	"Statement": [
	{
	"Sid": "AllowViewAccountInfo",
	"Effect": "Allow",
	"Action": [
	"iam:GetAccountPasswordPolicy"
	],
	"Resource": "*"
	},
	{
	"Sid": "AllowManageOwnPasswords",
	"Effect": "Allow",
	"Action": [
	"iam:ChangePassword",
	"iam:GetUser"
	],
	"Resource": "arn:aws:iam::*:user/${aws:username}"
	},
	{
	"Sid": "AllowManageOwnAccessKeys",
	"Effect": "Allow",
	"Action": [
	"iam:CreateAccessKey",
	"iam:DeleteAccessKey",
	"iam:ListAccessKeys",
	"iam:UpdateAccessKey"
	],
	"Resource": "arn:aws:iam::*:user/${aws:username}"
	},
	{
	"Sid": "AllowManageOwnSigningCertificates",
	"Effect": "Allow",
	"Action": [
	"iam:DeleteSigningCertificate",
	"iam:ListSigningCertificates",
	"iam:UpdateSigningCertificate",
	"iam:UploadSigningCertificate"
	],
	"Resource": "arn:aws:iam::*:user/${aws:username}"
	},
	{
	"Sid": "AllowManageOwnSSHPublicKeys",
	"Effect": "Allow",
	"Action": [
	"iam:DeleteSSHPublicKey",
	"iam:GetSSHPublicKey",
	"iam:ListSSHPublicKeys",
	"iam:UpdateSSHPublicKey",
	"iam:UploadSSHPublicKey"
	],
	"Resource": "arn:aws:iam::*:user/${aws:username}"
	},
	{
	"Sid": "AllowManageOwnGitCredentials",
	"Effect": "Allow",
	"Action": [
	"iam:CreateServiceSpecificCredential",
	"iam:DeleteServiceSpecificCredential",
	"iam:ListServiceSpecificCredentials",
	"iam:ResetServiceSpecificCredential",
	"iam:UpdateServiceSpecificCredential"
	],
	"Resource": "arn:aws:iam::*:user/${aws:username}"
	},
	{
	"Sid": "AllowManageOwnVirtualMFADevice",
	"Effect": "Allow",
	"Action": [
	"iam:CreateVirtualMFADevice",
	"iam:DeleteVirtualMFADevice"
	],
	"Resource": "arn:aws:iam::*:mfa/${aws:username}"
	},
	{
	"Sid": "AllowManageOwnUserMFA",
	"Effect": "Allow",
	"Action": [
	"iam:DeactivateMFADevice",
	"iam:EnableMFADevice",
	"iam:ListMFADevices",
	"iam:ResyncMFADevice"
	],
	"Resource": "arn:aws:iam::*:user/${aws:username}"
	},
	{
	"Sid": "DenyAllExceptListedIfNoMFAAndNewUser",
	"Effect": "Deny",
	"NotAction": [
	"iam:CreateVirtualMFADevice",
	"iam:EnableMFADevice",
	"iam:GetUser",
	"iam:ListMFADevices",
	"iam:ListVirtualMFADevices",
	"iam:ResyncMFADevice",
	"sts:GetSessionToken",
	"iam:ChangePassword"
	],
	"Resource": "*",
	"Condition": {
	"BoolIfExists": {
	"aws:MultiFactorAuthPresent": "false"
	}
	}
	},
	{
	"Sid": "DenyAllExceptListedIfNoMFA",
	"Effect": "Deny",
	"NotAction": [
	"iam:CreateVirtualMFADevice",
	"iam:EnableMFADevice",
	"iam:GetUser",
	"iam:ListMFADevices",
	"iam:ListVirtualMFADevices",
	"iam:ResyncMFADevice",
	"sts:GetSessionToken"
	],
	"Resource": "*",
	"Condition": {
	"BoolIfExists": {
	"aws:MultiFactorAuthPresent": "false"
	},
	"StringNotEqualsIfExists": {
	"iam:ResourceTag/NewUser": "true"
	}
	}
	}
	]
	}