AWSIAM如何限制MFA设备管理？ _编程开发

AWSIAM如何限制MFA设备管理？

创始人

2024-09-25 21:31:28

0次

在AWS IAM中，可以通过以下代码示例来限制MFA设备管理权限：

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowMFA",
            "Effect": "Allow",
            "Action": [
                "iam:CreateVirtualMFADevice",
                "iam:EnableMFADevice",
                "iam:ListMFADevices",
                "iam:ListVirtualMFADevices",
                "iam:ResyncMFADevice",
                "iam:DeactivateMFADevice",
                "iam:DeleteVirtualMFADevice"
            ],
            "Condition": {
                "Bool": {
                    "aws:MultiFactorAuthPresent": "true"
                }
            },
            "Resource": [
                "arn:aws:iam::123456789012:user/*",
                "arn:aws:iam::123456789012:mfa/*"
            ]
        },
        {
            "Sid": "DenyWithoutMFA",
            "Effect": "Deny",
            "Action": [
                "iam:CreateVirtualMFADevice",
                "iam:EnableMFADevice",
                "iam:ListMFADevices",
                "iam:ListVirtualMFADevices",
                "iam:ResyncMFADevice",
                "iam:DeactivateMFADevice",
                "iam:DeleteVirtualMFADevice"
            ],
            "Condition": {
                "Null": {
                    "aws:MultiFactorAuthPresent": "true"
                }
            },
            "Resource": [
                "arn:aws:iam::123456789012:user/*",
                "arn:aws:iam::123456789012:mfa/*"
            ]
        }
    ]
}

上述代码中，'AllowMFA”声明允许具有MFA设备的用户执行包括创建、启用、同步、停用和删除MFA设备等在内的所有MFA设备操作。而'DenyWithoutMFA”声明则会拒绝没有MFA设备的用户执行相同的操作。此配置可应用于用户或IAM角色。需将ARN替换为用户或角色的ARN。

上一篇：AWSIAMPolicytoEnforceMultipleTags

下一篇：AWSIAM受信实体

AWSIAM如何限制MFA设备管理？

相关内容

热门资讯