# IAM:允许 IAM 用户自行管理 MFA 设备 此示例说明如何创建 IAM policy 以允许基于身份的用户自行管理其[多重身份验证(MFA)](id_credentials_mfa.md)设备。此策略授予有计划地通过 AWS API 或 AWS CLI 完成此操作的必要权限。 **注意** 如果具有此策略的 IAM 用户未通过 MFA 进行身份验证,则此策略会拒绝对所有 AWS 操作(使用 MFA 进行身份验证所需的操作除外)的访问。如果为已登录 AWS 的用户添加这些权限,他们需要注销并重新登录才能看到这些更改。 ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "AllowListActions", "Effect": "Allow", "Action": [ "iam:ListUsers", "iam:ListVirtualMFADevices" ], "Resource": "*" }, { "Sid": "AllowUserToCreateVirtualMFADevice", "Effect": "Allow", "Action": [ "iam:CreateVirtualMFADevice" ], "Resource": "arn:aws:iam::*:mfa/*" }, { "Sid": "AllowUserToManageTheirOwnMFA", "Effect": "Allow", "Action": [ "iam:EnableMFADevice", "iam:GetMFADevice", "iam:ListMFADevices", "iam:ResyncMFADevice" ], "Resource": "arn:aws:iam::*:user/${aws:username}" }, { "Sid": "AllowUserToDeactivateTheirOwnMFAOnlyWhenUsingMFA", "Effect": "Allow", "Action": [ "iam:DeactivateMFADevice" ], "Resource": [ "arn:aws:iam::*:user/${aws:username}" ], "Condition": { "Bool": { "aws:MultiFactorAuthPresent": "true" } } }, { "Sid": "BlockMostAccessUnlessSignedInWithMFA", "Effect": "Deny", "NotAction": [ "iam:CreateVirtualMFADevice", "iam:EnableMFADevice", "iam:ListMFADevices", "iam:ListUsers", "iam:ListVirtualMFADevices", "iam:ResyncMFADevice" ], "Resource": "*", "Condition": { "BoolIfExists": { "aws:MultiFactorAuthPresent": "false" } } } ] } ``` ------