AWS IAM policy to let users manage their own MFA

Posted on 2 mins read

If you’re an AWS administrator you know that managing web console security is pretty tough unless you know what you want and you know what you’re doing. So if what you want is let each AWS user manage their own MFA device configuration without you and force them to have MFA active to use the web console, here is your solution.

TL;DR

  • Create one or more groups with your web users
  • Create a new policy using this JSON
  • Attach the policy to the group(s)

How does it work?

The policy has this logic:

  • Allow basic operations on IAM without having MFA set up
  • Allow setup and management of MFA for own user in IAM (create, delete, resync device)
  • Deny every action on every resource when MFA is not setup
  • Allow user to access IAM without MFA – this is necessary to sub-segment the previous rule

The magic lies in the use of ARN policy variables which is a poorly documented feature of IAM. Notice how in some case the statement makes use of ${aws:username} to confine the action executed on the only user receiving the policy grants.

This IAM policy blocks every serice usage when MFA is not setup, and in conjunction with default IAM behavior will deny access on every action if not explicitly given. You should combine this “base” policy with other group/service oriented policies to confine web users on certain functionalities. For example if you want a set of users self-managing their own MFA and access the EC2 service only after having setup MFA, you should execute the following after having setup the IAMUsersMFAManagement policy.

``Reference: AWS IAM variables documentation

comments powered by Disqus