I created an IAM user at AWS that should be allowed to perform a couple of S3 bucket actions, but only when MFA is enabled. Therefore I added a policy according to the AWS documentation with the following content:
{
"Statement": [
{
"Action": [
"iam:ListVirtualMFADevices",
"iam:ListUsers"
],
"Effect": "Allow",
"Resource": "*",
"Sid": "AllowListActions"
},
{
"Action": "iam:ListMFADevices",
"Effect": "Allow",
"Resource": [
"arn:aws:iam::*:user/${aws:username}",
"arn:aws:iam::*:mfa/*"
],
"Sid": "AllowIndividualUserToListOnlyTheirOwnMFA"
},
{
"Action": [
"iam:ResyncMFADevice",
"iam:EnableMFADevice",
"iam:DeleteVirtualMFADevice",
"iam:CreateVirtualMFADevice"
],
"Effect": "Allow",
"Resource": [
"arn:aws:iam::*:user/${aws:username}",
"arn:aws:iam::*:mfa/${aws:username}"
],
"Sid": "AllowIndividualUserToManageTheirOwnMFA"
},
{
"Action": "iam:DeactivateMFADevice",
"Condition": {
"Bool": {
"aws:MultiFactorAuthPresent": "true"
}
},
"Effect": "Allow",
"Resource": [
"arn:aws:iam::*:user/${aws:username}",
"arn:aws:iam::*:mfa/${aws:username}"
],
"Sid": "AllowIndividualUserToDeactivateOnlyTheirOwnMFAOnlyWhenUsingMFA"
},
{
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "false"
}
},
"Effect": "Deny",
"NotAction": [
"iam:ResyncMFADevice",
"iam:ListVirtualMFADevices",
"iam:ListUsers",
"iam:ListMFADevices",
"iam:EnableMFADevice",
"iam:CreateVirtualMFADevice"
],
"Resource": "*",
"Sid": "BlockMostAccessUnlessSignedInWithMFA"
}
],
"Version": "2012-10-17"
}
This is simply the default policy, recommended by AWS. Nevertheless, when the particular user logs in and tries to add a virtual MFA, he sees the following error message:
User: arn:aws:iam::1234567890:user/users/[email protected] is not authorized to perform: iam:ListMFADevices on resource: user [email protected] because no identity-based policy allows the iam:ListMFADevices action
Do I miss something in the setup of the permissions?
5
Answers
I too had a similar error recently, the AWS docs are awful related to this. Once the MFA device it setup, everything works fine, but getting it set up, I couldn’t find the permission to do this either.
One workaround, is to set this up for the user, send them a pic of the QR code, so they can complete the setup on their device.
It’s not a perfect situation as this requires trust in a human to do this initial step.
If anyone has the actual answer for how to do this, I too would be interested in hearing as the AWS docs and content online I couldn’t find the policy that needs to be applied for this to work without this manual intervention.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowManageOwnVirtualMFADevice",
"Effect": "Allow",
"Action": [
"iam:CreateVirtualMFADevice",
"iam:DeleteVirtualMFADevice"
],
"Resource": "arn:aws:iam:::mfa/${aws:username}"
},
{
"Sid": "AllowManageOwnUserMFA",
"Effect": "Allow",
"Action": [
"iam:DeactivateMFADevice",
"iam:EnableMFADevice",
"iam:ListMFADevices",
"iam:ResyncMFADevice"
],
"Resource": "arn:aws:iam:::user/${aws:username}"
}
]
}
}
This seems to work now. Remember that any IAM user needs to logout and then login again after you change this in order for it to work.
Problem statement:
The User itself needs the right permission to perform the action, "Create MFA".
Possibly, the User was created with Deny Strategy. Check the User Role. Usually root account provide users allow policies
iam:ListMFADevices
recommended to obtained by default for any new user.Side note, what you perform is applied as resource policy on S3 bucket.
I changed the mfa resource to any as AWS console now allows users to set their own device name.