问题
需要给开发组的IAM用户分配,如下权限:
- 允许使用 MFA
- 自行管理自己的密码
- 访问密钥
- SSH 公有密钥的权限
权限json
{"Version": "2012-10-17","Statement": [{"Sid": "AllowViewAccountInfo","Effect": "Allow","Action": ["iam:GetAccountPasswordPolicy","iam:GetAccountSummary","iam:ListVirtualMFADevices"],"Resource": "*"},{"Sid": "AllowManageOwnVirtualMFADevice","Effect": "Allow","Action": ["iam:CreateVirtualMFADevice"],"Resource": "arn:aws:iam::*:mfa/*"},{"Sid": "AllowManageOwnPasswords","Effect": "Allow","Action": ["iam:ChangePassword","iam:GetUser","iam:DeactivateMFADevice","iam:EnableMFADevice","iam:GetMFADevice","iam:ListMFADevices","iam:ResyncMFADevice"],"Resource": "arn:aws:iam::*:user/${aws:username}"},{"Sid": "AllowManageOwnAccessKeys","Effect": "Allow","Action": ["iam:CreateAccessKey","iam:DeleteAccessKey","iam:ListAccessKeys","iam:UpdateAccessKey","iam:GetAccessKeyLastUsed"],"Resource": "arn:aws:iam::*:user/${aws:username}"},{"Sid": "AllowManageOwnSSHPublicKeys","Effect": "Allow","Action": ["iam:DeleteSSHPublicKey","iam:GetSSHPublicKey","iam:ListSSHPublicKeys","iam:UpdateSSHPublicKey","iam:UploadSSHPublicKey"],"Resource": "arn:aws:iam::*:user/${aws:username}"}]
}
参考
- AWS:允许 IAM 用户在“安全凭证”页面上管理自己的密码、访问密钥和 SSH 公有密钥
- AWS:允许使用 MFA 完成身份验证的 IAM 用户在“安全凭证”页面上管理自己的 MFA 设备。