Ops/AWS
AWS IAM Policy - user MFA force
mkdir.chandler
2023. 9. 13. 00:00
반응형
AWS IAM Policy - user MFA force
■ 설명
첫 로그인 시 mfa를 강제로 적용하도록 설정하는 policy
■ 코드
{
"Statement": [
{
"Action": [
"iam:ChangePassword"
],
"Effect": "Allow",
"Resource": [
"arn:aws:iam::*:user/${aws:username}"
],
"Sid": "AllowChangePassword"
},
{
"Action": [
"iam:GetAccountPasswordPolicy"
],
"Effect": "Allow",
"Resource": "*",
"Sid": "AllowGetAccountPasswordPolicy"
},
{
"Action": [
"iam:GetAccountPasswordPolicy",
"iam:GetAccountSummary",
"iam:ListVirtualMFADevices"
],
"Effect": "Allow",
"Resource": "*",
"Sid": "AllowViewAccountInfo"
},
{
"Action": [
"iam:ChangePassword",
"iam:GetUser"
],
"Effect": "Allow",
"Resource": "arn:aws:iam::*:user/${aws:username}",
"Sid": "AllowManageOwnPasswords"
},
{
"Action": [
"iam:CreateAccessKey",
"iam:DeleteAccessKey",
"iam:ListAccessKeys",
"iam:UpdateAccessKey"
],
"Effect": "Allow",
"Resource": "arn:aws:iam::*:user/${aws:username}",
"Sid": "AllowManageOwnAccessKeys"
},
{
"Action": [
"iam:DeleteSigningCertificate",
"iam:ListSigningCertificates",
"iam:UpdateSigningCertificate",
"iam:UploadSigningCertificate"
],
"Effect": "Allow",
"Resource": "arn:aws:iam::*:user/${aws:username}",
"Sid": "AllowManageOwnSigningCertificates"
},
{
"Action": [
"iam:DeleteSSHPublicKey",
"iam:GetSSHPublicKey",
"iam:ListSSHPublicKeys",
"iam:UpdateSSHPublicKey",
"iam:UploadSSHPublicKey"
],
"Effect": "Allow",
"Resource": "arn:aws:iam::*:user/${aws:username}",
"Sid": "AllowManageOwnSSHPublicKeys"
},
{
"Action": [
"iam:CreateServiceSpecificCredential",
"iam:DeleteServiceSpecificCredential",
"iam:ListServiceSpecificCredentials",
"iam:ResetServiceSpecificCredential",
"iam:UpdateServiceSpecificCredential"
],
"Effect": "Allow",
"Resource": "arn:aws:iam::*:user/${aws:username}",
"Sid": "AllowManageOwnGitCredentials"
},
{
"Action": [
"iam:CreateVirtualMFADevice"
],
"Effect": "Allow",
"Resource": "arn:aws:iam::*:mfa/*",
"Sid": "AllowManageOwnVirtualMFADevice"
},
{
"Action": [
"iam:DeactivateMFADevice",
"iam:EnableMFADevice",
"iam:ListMFADevices",
"iam:ResyncMFADevice"
],
"Effect": "Allow",
"Resource": "arn:aws:iam::*:user/${aws:username}",
"Sid": "AllowManageOwnUserMFA"
},
{
"Action": [
"iam:ListUsers"
],
"Effect": "Allow",
"Resource": "arn:aws:iam::*:*",
"Sid": "AllowListUsers"
}
],
"Version": "2012-10-17"
}
by mkdir-chandler
728x90
반응형