AWS Identity and Access Management
用户指南
AWS 文档中描述的 AWS 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅 Amazon AWS 入门

IAM:允许 IAM 用户自行管理 MFA 设备

此示例显示您可以如何创建策略 允许 IAM 用户自行管理 MFA 设备。

注意

如果为已登录 AWS 的用户添加这些权限,他们需要注销并重新登录才能看到这些更改。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iam:CreateVirtualMFADevice", "iam:EnableMFADevice", "iam:ResyncMFADevice", "iam:DeleteVirtualMFADevice" ], "Resource": [ "arn:aws:iam::*:mfa/${aws:username}", "arn:aws:iam::*:user/${aws:username}" ] }, { "Sid": "AllowUsersToDeactivateTheirOwnVirtualMFADevice", "Effect": "Allow", "Action": [ "iam:DeactivateMFADevice" ], "Resource": [ "arn:aws:iam::*:mfa/${aws:username}", "arn:aws:iam::*:user/${aws:username}" ], "Condition": { "Bool": { "aws:MultiFactorAuthPresent": "true" } } }, { "Effect": "Allow", "Action": [ "iam:ListMFADevices", "iam:ListVirtualMFADevices", "iam:ListUsers" ], "Resource": "*" } ] }