-1
我想向我們的新用戶發送他們的IAM用戶名和臨時憑證,然後要求他們更改密碼並要求他們在配置自己的虛擬MFA訪問控制檯中的其他任何東西。AWS IAM策略:要求用戶自行配置MFA
1)創建用戶時,我顯然可以生成一個臨時密碼,並要求他們在第一次登錄時進行更改。 Security Credentials-->Manage Password-->'Require user to create a new password at next sign-in'.
2)以下政策將permit IAM users to change their own passwords:
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": [
"iam:ChangePassword",
"iam:GetAccountPasswordPolicy"
],
"Resource": "*"
}
}
3)以下政策allows users to manage only their own virtual mfa devices:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowUsersToCreateEnableResyncDeleteTheirOwnVirtualMFADevice",
"Effect": "Allow",
"Action": [
"iam:CreateVirtualMFADevice",
"iam:EnableMFADevice",
"iam:ResyncMFADevice",
"iam:DeleteVirtualMFADevice"
],
"Resource": [
"arn:aws:iam::account-id-without-hyphens:mfa/${aws:username}",
"arn:aws:iam::account-id-without-hyphens:user/${aws:username}"
]
},
{
"Sid": "AllowUsersToDeactivateTheirOwnVirtualMFADevice",
"Effect": "Allow",
"Action": [
"iam:DeactivateMFADevice"
],
"Resource": [
"arn:aws:iam::account-id-without-hyphens:mfa/${aws:username}",
"arn:aws:iam::account-id-without-hyphens:user/${aws:username}"
],
"Condition": {
"Bool": {
"aws:MultiFactorAuthPresent": true
}
}
},
{
"Sid": "AllowUsersToListMFADevicesandUsersForConsole",
"Effect": "Allow",
"Action": [
"iam:ListMFADevices",
"iam:ListVirtualMFADevices",
"iam:ListUsers"
],
"Resource": "*"
}
]
}
使用三種方法上面,我可以要求他們更改他們的密碼,並讓他們配置他們自己的虛擬MFA設備,我只是不知道是否有辦法要求他們配置MFA。
要求他們配置MFA的方法意味着,是否要爲每個用戶配置MFA? – error2007s
顯然你不能。但是,如果您的用戶都在分組中,您可以向組策略添加一個條件來強制執行mfa設置。不過,我不確定如果你的用戶在第一個地方沒有MFA,它可以工作,他們可以阻止我想......無論如何,這是一個重複的「http://serverfault.com/questions/483183/ can-you-require-mfa-for-aws-iam-accounts「 – Olivier
Thanks @Olivier - 我原本以爲這不是重複的,因爲我希望他們能夠自己配置它,並認爲該策略的條件將完全限制他們登錄,但如果我將其附加到只讀策略,它確實可行,但是您需要上述兩個選項才能使其工作,所以其他答案不是完整的解決方案。 –