0

I hold admin powers on one of the AWS accounts that we use at the company where I work. I am trying to make MFA mandatory for all users. I followed this tutorial:

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_iam_mfa-selfmanage.html

I created that policy, then I assigned the policy directly to the user Gregory. But when he logs in and tries to setup MFA, he sees a page full of permission errors, such as:

Gregory is not authorized to perform: 
iam:ListMFADevices on resource: gregory 
because no permissions boundary allows 
the iam:ListMFADevices action

But the action ListMFADevices is part of the policy that I created and attached to this user. So what am I missing?

EDIT

This is the policy from the other page, the tutorial that I followed. I applied this directly to the user:

{
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "AllowListActions",
        "Effect": "Allow",
        "Action": [
            "iam:ListUsers",
            "iam:ListVirtualMFADevices"
        ],
        "Resource": "*"
    },
    {
        "Sid": "AllowIndividualUserToListOnlyTheirOwnMFA",
        "Effect": "Allow",
        "Action": [
            "iam:ListMFADevices"
        ],
        "Resource": [
            "arn:aws:iam::*:mfa/*",
            "arn:aws:iam::*:user/${aws:username}"
        ]
    },
    {
        "Sid": "AllowIndividualUserToManageTheirOwnMFA",
        "Effect": "Allow",
        "Action": [
            "iam:CreateVirtualMFADevice",
            "iam:DeleteVirtualMFADevice",
            "iam:EnableMFADevice",
            "iam:ResyncMFADevice"
        ],
        "Resource": [
            "arn:aws:iam::*:mfa/${aws:username}",
            "arn:aws:iam::*:user/${aws:username}"
        ]
    },
    {
        "Sid": "AllowIndividualUserToDeactivateOnlyTheirOwnMFAOnlyWhenUsingMFA",
        "Effect": "Allow",
        "Action": [
            "iam:DeactivateMFADevice"
        ],
        "Resource": [
            "arn:aws:iam::*:mfa/${aws:username}",
            "arn:aws:iam::*:user/${aws:username}"
        ],
        "Condition": {
            "Bool": {
                "aws:MultiFactorAuthPresent": "true"
            }
        }
    },
    {
        "Sid": "BlockMostAccessUnlessSignedInWithMFA",
        "Effect": "Deny",
        "NotAction": [
            "iam:CreateVirtualMFADevice",
            "iam:EnableMFADevice",
            "iam:ListMFADevices",
            "iam:ListUsers",
            "iam:ListVirtualMFADevices",
            "iam:ResyncMFADevice"
        ],
        "Resource": "*",
        "Condition": {
            "BoolIfExists": {
                "aws:MultiFactorAuthPresent": "false"
            }
        }
    }
]
}
charlottesville
  • 153
  • 1
  • 6
  • Hard to say as you haven't shared exactly what you've done. You have somehow managed to prevent users calling iam:ListMFADevices either by changing the permissions boundary or by applying policies incorrectly. If you want help you'll have to edit your post to include screenshots and policies. I tend to use AWS SSO rather than AWS IAM, but both will work. – Tim Jun 27 '22 at 21:32
  • I've updated the post with the exact policy that I applied to the user. I don't understand what you are saying about the permissions boundary. – charlottesville Jun 28 '22 at 14:19
  • I shot myself in the foot. There as a policy boundary attached to the default group for the account, which caused the issue. I myself had not created the default group and didn't realize the policy boundary was there. – charlottesville Jun 28 '22 at 22:20
  • Suggest you put in an answer to your own question so others can learn from it in the future. – Tim Jun 28 '22 at 23:00

1 Answers1

2

Turns out there was a default group for this account which had a policy boundary which blocked what I wanted to do.

charlottesville
  • 153
  • 1
  • 6