Thursday, August 21, 2014

AWS: Allowing IAM user to manage their own MFA device

When enabling MFA (Multi-factor Authentication) on AWS Web Console, only users with admin privilege can configure the MFA device for each IAM user. This pose a problem if your users are not in the same physical location. To allow each IAM user to be able to configure the device on their own, you must add specific IAM policy:-

http://docs.aws.amazon.com/IAM/latest/UserGuide/Credentials-Permissions-examples.html#creds-policies-mfa-console

If you're using the default PowerUserAccess, that policy also basically remove access to the whole IAM so make sure to change that too. The default policy:-

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "NotAction": "iam:*",
      "Resource": "*"
    }
  ]
}

Change that to:-
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "ec2:*",
      "Resource": "arn:aws:ec2:*"
    }
  ]
}
Finally, user also has at least read only access to the IAM.