skip to Main Content

I created an IAM user at AWS that should be allowed to perform a couple of S3 bucket actions, but only when MFA is enabled. Therefore I added a policy according to the AWS documentation with the following content:

{
    "Statement": [
        {
            "Action": [
                "iam:ListVirtualMFADevices",
                "iam:ListUsers"
            ],
            "Effect": "Allow",
            "Resource": "*",
            "Sid": "AllowListActions"
        },
        {
            "Action": "iam:ListMFADevices",
            "Effect": "Allow",
            "Resource": [
                "arn:aws:iam::*:user/${aws:username}",
                "arn:aws:iam::*:mfa/*"
            ],
            "Sid": "AllowIndividualUserToListOnlyTheirOwnMFA"
        },
        {
            "Action": [
                "iam:ResyncMFADevice",
                "iam:EnableMFADevice",
                "iam:DeleteVirtualMFADevice",
                "iam:CreateVirtualMFADevice"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:iam::*:user/${aws:username}",
                "arn:aws:iam::*:mfa/${aws:username}"
            ],
            "Sid": "AllowIndividualUserToManageTheirOwnMFA"
        },
        {
            "Action": "iam:DeactivateMFADevice",
            "Condition": {
                "Bool": {
                    "aws:MultiFactorAuthPresent": "true"
                }
            },
            "Effect": "Allow",
            "Resource": [
                "arn:aws:iam::*:user/${aws:username}",
                "arn:aws:iam::*:mfa/${aws:username}"
            ],
            "Sid": "AllowIndividualUserToDeactivateOnlyTheirOwnMFAOnlyWhenUsingMFA"
        },
        {
            "Condition": {
                "BoolIfExists": {
                    "aws:MultiFactorAuthPresent": "false"
                }
            },
            "Effect": "Deny",
            "NotAction": [
                "iam:ResyncMFADevice",
                "iam:ListVirtualMFADevices",
                "iam:ListUsers",
                "iam:ListMFADevices",
                "iam:EnableMFADevice",
                "iam:CreateVirtualMFADevice"
            ],
            "Resource": "*",
            "Sid": "BlockMostAccessUnlessSignedInWithMFA"
        }
    ],
    "Version": "2012-10-17"
}

This is simply the default policy, recommended by AWS. Nevertheless, when the particular user logs in and tries to add a virtual MFA, he sees the following error message:

User: arn:aws:iam::1234567890:user/users/[email protected] is not authorized to perform: iam:ListMFADevices on resource: user [email protected] because no identity-based policy allows the iam:ListMFADevices action

Do I miss something in the setup of the permissions?

5

Answers


  1. I too had a similar error recently, the AWS docs are awful related to this. Once the MFA device it setup, everything works fine, but getting it set up, I couldn’t find the permission to do this either.

    One workaround, is to set this up for the user, send them a pic of the QR code, so they can complete the setup on their device.

    It’s not a perfect situation as this requires trust in a human to do this initial step.

    If anyone has the actual answer for how to do this, I too would be interested in hearing as the AWS docs and content online I couldn’t find the policy that needs to be applied for this to work without this manual intervention.

    Login or Signup to reply.
  2. {
    "Version": "2012-10-17",
    "Statement": [
    {
    "Sid": "AllowManageOwnVirtualMFADevice",
    "Effect": "Allow",
    "Action": [
    "iam:CreateVirtualMFADevice",
    "iam:DeleteVirtualMFADevice"
    ],
    "Resource": "arn:aws:iam:::mfa/${aws:username}"
    },
    {
    "Sid": "AllowManageOwnUserMFA",
    "Effect": "Allow",
    "Action": [
    "iam:DeactivateMFADevice",
    "iam:EnableMFADevice",
    "iam:ListMFADevices",
    "iam:ResyncMFADevice"
    ],
    "Resource": "arn:aws:iam::
    :user/${aws:username}"
    }
    ]
    }

    Login or Signup to reply.
  3. {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowViewAccountInfo",
            "Effect": "Allow",
            "Action": "iam:ListVirtualMFADevices",
            "Resource": "*"
        },
        {
            "Sid": "AllowManageOwnUserMFA",
            "Effect": "Allow",
            "Action": [
                "iam:GetUser",
                "iam:ListMFADevices",
                "iam:ResyncMFADevice",
                "iam:CreateVirtualMFADevice",
                "iam:DeactivateMFADevice",
                "iam:EnableMFADevice",
                "iam:DeleteVirtualMFADevice"
            ],
            "Resource": [
                "arn:aws:iam::*:user/${aws:username}",
                "arn:aws:iam::*:mfa/${aws:username}"
            ]
        },
        {
            "Sid": "DenyAllExceptListedIfNoMFA",
            "Effect": "Deny",
            "NotAction": [
                "iam:CreateVirtualMFADevice",
                "iam:DeleteVirtualMFADevice",
                "iam:EnableMFADevice",
                "iam:GetUser",
                "iam:ListMFADevices",
                "iam:ListVirtualMFADevices",
                "iam:ResyncMFADevice",
                "iam:ChangePassword",
                "iam:ListAccessKeys",
                "sts:GetSessionToken",
                "iam:CreateAccessKey",
                "iam:DeleteAccessKey",
                "iam:ListAccessKeys",
                "iam:UpdateAccessKey"
            ],
            "Resource": "*",
            "Condition": {
                "BoolIfExists": {
                    "aws:MultiFactorAuthPresent": "false"
                }
            }
        }
    ]
    

    }

    This seems to work now. Remember that any IAM user needs to logout and then login again after you change this in order for it to work.

    Login or Signup to reply.
  4. Problem statement:

    when the particular user logs in and tries to add a virtual MFA

    The User itself needs the right permission to perform the action, "Create MFA".

    Possibly, the User was created with Deny Strategy. Check the User Role. Usually root account provide users allow policies iam:ListMFADevices recommended to obtained by default for any new user.

    Side note, what you perform is applied as resource policy on S3 bucket.

    Login or Signup to reply.
  5.     {
            "Action": [
                "iam:ResyncMFADevice",
                "iam:EnableMFADevice",
                "iam:DeleteVirtualMFADevice",
                "iam:CreateVirtualMFADevice"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:iam::*:user/${aws:username}",
                "arn:aws:iam::*:mfa/*"
            ],
            "Sid": "AllowIndividualUserToManageTheirOwnMFA"
        }
    

    I changed the mfa resource to any as AWS console now allows users to set their own device name.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search