AWS IAM policy to let users manage their own MFA

If you’re an AWS administrator you know that managing web console security is pretty tough unless you know what you want and you know what you’re doing. So if what you want is let each AWS user manage their own MFA device configuration without you and force them to have MFA active to use the web console, here is your solution.

TL;DR

How does it work?

The policy has this logic:

The magic lies in the use of ARN policy variables which is a poorly documented feature of IAM. Notice how in some case the statement makes use of ${aws:username} to confine the action executed on the only user receiving the policy grants.

This IAM policy blocks every serice usage when MFA is not setup, and in conjunction with default IAM behavior will deny access on every action if not explicitly given. You should combine this “base” policy with other group/service oriented policies to confine web users on certain functionalities. For example if you want a set of users self-managing their own MFA and access the EC2 service only after having setup MFA, you should execute the following after having setup the IAMUsersMFAManagement policy.

``Reference: AWS IAM variables documentation