AWS IAM permissions to allow users to set up MFA devices for themselves. ${aws:username} restricts access to the logged on user only. “iam:ListUsers” allows them to navigate to their own user in Amazon’s console. To be used with groups that otherwise don’t have access to IAM or only have read-only access.
{
“Version”: “2012-10-17”,
“Statement”: [
{
“Sid”: “CreateDeleteOwnVirtualMFA”,
“Effect”: “Allow”,
“Action”: [“iam:*VirtualMFADevice”],
“Resource”: [“arn:aws:iam::123456789012:mfa/${aws:username}”]
},
{
“Sid”: “EnableSetupDisableOwnMFA”,
“Effect”: “Allow”,
“Action”: [
“iam:DeactivateMFADevice”,
“iam:EnableMFADevice”,
“iam:ListMFADevices”,
“iam:ResyncMFADevice”
],
“Resource”: [“arn:aws:iam::123456789012:user/${aws:username}”]
},
{
“Sid”: “ListVirtualMFADevices”,
“Effect”: “Allow”,
“Action”: [“iam:ListVirtualMFADevices”],
“Resource”: [“arn:aws:iam::123456789012:mfa/*”]
},
{
“Sid”: “NavigateConsole”,
“Effect”: “Allow”,
“Action”: [“iam:ListUsers”],
“Resource”: [“arn:aws:iam::123456789012:user/*”]
}
]
}