AWS如何强制启用MFA，否则无法操作？

spider · · 112 次点击

DenyIfNoMFA 的策略规则如下，可按需调整,

spider

``` { "Version": "2012-10-17", "Statement": [ { "Sid": "DenyAllExceptSelfManagementIfNoMFA", "Effect": "Deny", "NotAction": [ "iam:ChangePassword", "iam:GetUser", "iam:CreateVirtualMFADevice", "iam:EnableMFADevice", "iam:ListMFADevices", "iam:ListVirtualMFADevices", "iam:ResyncMFADevice", "iam:DeleteVirtualMFADevice", "iam:GetLoginProfile", "iam:UpdateLoginProfile", "sts:GetSessionToken" ], "Resource": "*", "Condition": { "BoolIfExists": { "aws:MultiFactorAuthPresent": "false" } } }, { "Sid": "AllowSelfManageUserAndMFA", "Effect": "Allow", "Action": [ "iam:ChangePassword", "iam:GetUser", "iam:EnableMFADevice", "iam:ResyncMFADevice", "iam:DeleteVirtualMFADevice", "iam:GetLoginProfile", "iam:UpdateLoginProfile", "iam:ListMFADevices" ], "Resource": [ "arn:aws:iam::*:user/${aws:username}", "arn:aws:iam::*:mfa/${aws:username}" ] }, { "Sid": "AllowListVirtualMFADevices", "Effect": "Allow", "Action": "iam:ListVirtualMFADevices", "Resource": "*" }, { "Sid": "AllowCreateVirtualMFADevice", "Effect": "Allow", "Action": "iam:CreateVirtualMFADevice", "Resource": "arn:aws:iam::*:mfa/*" } ] } ```

评论于 2025-05-06 16:11:24

#3

更多评论

spider

``` { "Version": "2012-10-17", "Statement": [ { "Sid": "DenyAllExceptSelfManagementIfNoMFA", "Effect": "Deny", "NotAction": [ "iam:ChangePassword", "iam:GetUser", "iam:CreateVirtualMFADevice", "iam:EnableMFADevice", "iam:ListUsers", "iam:ListMFADevices", "iam:ListVirtualMFADevices", "iam:ResyncMFADevice", "iam:DeleteVirtualMFADevice", "sts:GetSessionToken" ], "Resource": "*", "Condition": { "BoolIfExists": { "aws:MultiFactorAuthPresent": "false" } } } ] } ```

评论于 2025-04-09 16:36:18

#1

spider

``` { "Version": "2012-10-17", "Statement": [ { "Sid": "DenyAllExceptSelfManagementIfNoMFA", "Effect": "Deny", "NotAction": [ "iam:ChangePassword", "iam:GetUser", "iam:CreateVirtualMFADevice", "iam:EnableMFADevice", "iam:ListMFADevices", "iam:ListVirtualMFADevices", "iam:ResyncMFADevice", "iam:DeleteVirtualMFADevice", "iam:GetLoginProfile", "iam:UpdateLoginProfile", "sts:GetSessionToken" ], "Resource": "*", "Condition": { "BoolIfExists": { "aws:MultiFactorAuthPresent": "false" } } }, { "Sid": "AllowSelfManageMFA", "Effect": "Allow", "Action": [ "iam:ChangePassword", "iam:GetUser", "iam:CreateVirtualMFADevice", "iam:EnableMFADevice", "iam:ListMFADevices", "iam:ListVirtualMFADevices", "iam:ResyncMFADevice", "iam:DeleteVirtualMFADevice", "iam:GetLoginProfile", "iam:UpdateLoginProfile" ], "Resource": [ "arn:aws:iam::*:user/${aws:username}", "arn:aws:iam::*:mfa/${aws:username}", "arn:aws:iam::*:user/${aws:username}/*" ] } ] } ```

评论于 2025-05-06 08:51:32

#2

我要评论

AWS如何强制启用MFA，否则无法操作？

用户登录

今日阅读排行

一周阅读排行