尽管我为 AWS IAM 账户添加了权限,但用户仍无法使用 MFA

尽管我为 AWS IAM 账户添加了权限,但用户仍无法使用 MFA

我拥有我所在公司使用的 AWS 账户之一的管理员权限。我正在尝试让所有用户强制执行 MFA。我遵循了以下教程:

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_iam_mfa-selfmanage.html

我创建了该策略,然后将该策略直接分配给用户Gregory。但是,当他登录并尝试设置 MFA 时,他看到一个充满权限错误的页面,例如:

Gregory is not authorized to perform: 
iam:ListMFADevices on resource: gregory 
because no permissions boundary allows 
the iam:ListMFADevices action

但 ListMFADevices 操作是我创建并附加到此用户的策略的一部分。那么我遗漏了什么?

编辑

这是我遵循的另一个页面上的策略,即教程。我将其直接应用于用户:

{
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "AllowListActions",
        "Effect": "Allow",
        "Action": [
            "iam:ListUsers",
            "iam:ListVirtualMFADevices"
        ],
        "Resource": "*"
    },
    {
        "Sid": "AllowIndividualUserToListOnlyTheirOwnMFA",
        "Effect": "Allow",
        "Action": [
            "iam:ListMFADevices"
        ],
        "Resource": [
            "arn:aws:iam::*:mfa/*",
            "arn:aws:iam::*:user/${aws:username}"
        ]
    },
    {
        "Sid": "AllowIndividualUserToManageTheirOwnMFA",
        "Effect": "Allow",
        "Action": [
            "iam:CreateVirtualMFADevice",
            "iam:DeleteVirtualMFADevice",
            "iam:EnableMFADevice",
            "iam:ResyncMFADevice"
        ],
        "Resource": [
            "arn:aws:iam::*:mfa/${aws:username}",
            "arn:aws:iam::*:user/${aws:username}"
        ]
    },
    {
        "Sid": "AllowIndividualUserToDeactivateOnlyTheirOwnMFAOnlyWhenUsingMFA",
        "Effect": "Allow",
        "Action": [
            "iam:DeactivateMFADevice"
        ],
        "Resource": [
            "arn:aws:iam::*:mfa/${aws:username}",
            "arn:aws:iam::*:user/${aws:username}"
        ],
        "Condition": {
            "Bool": {
                "aws:MultiFactorAuthPresent": "true"
            }
        }
    },
    {
        "Sid": "BlockMostAccessUnlessSignedInWithMFA",
        "Effect": "Deny",
        "NotAction": [
            "iam:CreateVirtualMFADevice",
            "iam:EnableMFADevice",
            "iam:ListMFADevices",
            "iam:ListUsers",
            "iam:ListVirtualMFADevices",
            "iam:ResyncMFADevice"
        ],
        "Resource": "*",
        "Condition": {
            "BoolIfExists": {
                "aws:MultiFactorAuthPresent": "false"
            }
        }
    }
]
}

答案1

事实证明,该帐户有一个默认组,其策略边界阻止了我想要做的事情。

相关内容