0

I have added the below policy to one of the IAM user to allow him to enable MFA to his account.This policy will allow the user to access resources only if they enable MFA for their account. After adding MFA he can able to access resource through console but the problem is after adding MFA he is getting access denied error while using access keys and secret keys anywhere. I dont know whether the policy has any errors. Anyone please help me on this.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowViewAccountInfo",
            "Effect": "Allow",
            "Action": "iam:ListVirtualMFADevices",
            "Resource": "*"
        },
        {
            "Sid": "AllowManageOwnVirtualMFADevice",
            "Effect": "Allow",
            "Action": [
                "iam:CreateVirtualMFADevice",
                "iam:DeleteVirtualMFADevice"
            ],
            "Resource": "arn:aws:iam::*:mfa/${aws:username}"
        },
        {
            "Sid": "AllowManageOwnUserMFA",
            "Effect": "Allow",
            "Action": [
                "iam:DeactivateMFADevice",
                "iam:EnableMFADevice",
                "iam:GetUser",
                "iam:ListMFADevices",
                "iam:ResyncMFADevice"
            ],
            "Resource": "arn:aws:iam::*:user/${aws:username}"
        },
        {
            "Sid": "DenyAllExceptListedIfNoMFA",
            "Effect": "Deny",
            "NotAction": [
                "iam:CreateVirtualMFADevice",
                "iam:EnableMFADevice",
                "iam:GetUser",
                "iam:ListMFADevices",
                "iam:ListVirtualMFADevices",
                "iam:ResyncMFADevice",
                "sts:GetSessionToken"
            ],
            "Resource": "*",
            "Condition": {
                "BoolIfExists": {
                    "aws:MultiFactorAuthPresent": "false"
                }
            }
        }
    ]
}
Ben Whaley
  • 32,811
  • 7
  • 87
  • 85
rovoda
  • 13
  • 6
  • 1
    It should be `{ "Bool": { "aws:MultiFactorAuthPresent": "false" } }` – Riz Sep 30 '22 at 13:14
  • After editing my policy with the above answer my keys were working on some scripts and not working on some scripts. But the user can access on console.Any reasons for this? – rovoda Oct 10 '22 at 12:14
  • What scripts? The above policy is only and only to check and restrict access to users without MFA and absolutely nothing else. – Riz Oct 10 '22 at 14:31
  • After adding this policy user cant able to access athena through keys, but they can able to access from console. That is the problem. – rovoda Oct 11 '22 at 04:45
  • With your origonal policy , yes the user won't be able to use the access keys but changing `BoolIfExists` to only `Bool` it shouldn't be an issue. – Riz Oct 11 '22 at 09:03

0 Answers0