Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- {
- "Version": "2012-10-17",
- "Statement":[
- {
- "Sid": "AllowAllUsersToListAccounts",
- "Effect": "Allow",
- "Action":[
- "iam:ListAccountAliases",
- "iam:ListUsers",
- "iam:GetAccountSummary"
- ],
- "Resource": "*"
- },
- {
- "Sid": "AllowIndividualUserToSeeAndManageTheirOwnAccountInformation",
- "Effect": "Allow",
- "Action":[
- "iam:ChangePassword",
- "iam:CreateAccessKey",
- "iam:CreateLoginProfile",
- "iam:DeleteAccessKey",
- "iam:DeleteLoginProfile",
- "iam:GetAccountPasswordPolicy",
- "iam:GetLoginProfile",
- "iam:ListAccessKeys",
- "iam:UpdateAccessKey",
- "iam:UpdateLoginProfile",
- "iam:ListSigningCertificates",
- "iam:DeleteSigningCertificate",
- "iam:UpdateSigningCertificate",
- "iam:UploadSigningCertificate",
- "iam:ListSSHPublicKeys",
- "iam:GetSSHPublicKey",
- "iam:DeleteSSHPublicKey",
- "iam:UpdateSSHPublicKey",
- "iam:UploadSSHPublicKey"
- ],
- "Resource": "arn:aws:iam::accountid:user/${aws:username}"
- },
- {
- "Sid": "AllowIndividualUserToListTheirOwnMFA",
- "Effect": "Allow",
- "Action":[
- "iam:ListVirtualMFADevices",
- "iam:ListMFADevices"
- ],
- "Resource":[
- "arn:aws:iam::accountid:mfa/*",
- "arn:aws:iam::accountid:user/${aws:username}"
- ]
- },
- {
- "Sid": "AllowIndividualUserToManageTheirOwnMFA",
- "Effect": "Allow",
- "Action":[
- "iam:CreateVirtualMFADevice",
- "iam:DeactivateMFADevice",
- "iam:DeleteVirtualMFADevice",
- "iam:RequestSmsMfaRegistration",
- "iam:FinalizeSmsMfaRegistration",
- "iam:EnableMFADevice",
- "iam:ResyncMFADevice"
- ],
- "Resource":[
- "arn:aws:iam::accountid:mfa/${aws:username}",
- "arn:aws:iam::accountid:user/${aws:username}"
- ]
- },
- {
- "Sid": "BlockAnyAccessOtherThanAboveUnlessSignedInWithMFA",
- "Effect": "Deny",
- "NotAction": "iam:*",
- "Resource": "*",
- "Condition":{
- "BoolIfExists":{ "aws:MultiFactorAuthPresent": "false"}
- }
- }
- ]
- }
- {
- "Sid": "BlockAnyAccessOtherThanAboveUnlessSignedInWithMFA",
- "Effect": "Deny",
- "NotAction": "iam:*",
- "Resource": "*",
- "Condition":{
- "Bool":{ "aws:MultiFactorAuthPresent": "false"}
- }
- }
- {
- "Version": "2012-10-17",
- "Statement": [
- {
- "Sid": "AllowAllUsersToListAccounts",
- "Effect": "Allow",
- "Action": [
- "iam:ListAccountAliases",
- "iam:ListUsers"
- ],
- "Resource": [
- "arn:aws:iam::accountid:user/*"
- ]
- },
- {
- "Sid": "AllowIndividualUserToSeeTheirAccountInformation",
- "Effect": "Allow",
- "Action": [
- "iam:GetAccountPasswordPolicy",
- "iam:GetAccountSummary",
- "iam:GetLoginProfile"
- ],
- "Resource": [
- "arn:aws:iam::accountid:user/${aws:username}"
- ]
- },
- {
- "Sid": "AllowIndividualUserToListTheirMFA",
- "Effect": "Allow",
- "Action": [
- "iam:ListVirtualMFADevices",
- "iam:ListMFADevices"
- ],
- "Resource": [
- "arn:aws:iam::accountid:mfa/*",
- "arn:aws:iam::accountid:user/${aws:username}"
- ]
- },
- {
- "Sid": "AllowIndividualUserToManageThierMFA",
- "Effect": "Allow",
- "Action": [
- "iam:CreateVirtualMFADevice",
- "iam:DeactivateMFADevice",
- "iam:DeleteVirtualMFADevice",
- "iam:EnableMFADevice",
- "iam:ResyncMFADevice"
- ],
- "Resource": [
- "arn:aws:iam::accountid:mfa/${aws:username}",
- "arn:aws:iam::accountid:user/${aws:username}"
- ]
- },
- {
- "Sid": "DoNotAllowAnythingOtherThanAboveUnlessMFAd",
- "Effect": "Deny",
- "NotAction": "iam:*",
- "Resource": "*",
- "Condition": {
- "Bool": {
- "aws:MultiFactorAuthPresent": "false"
- }
- }
- }
- ]
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
