LoginSignup
1
3

More than 5 years have passed since last update.

@s-niim(俊介 新村)

PowerUser+MFA+アクセスキーの発行+自分のパスワードの変更ができるユーザー、

Last updated at Posted at 2018-03-27

勉強用の共有アカウントでadminより弱い(PowerUser)けど

MFA設定+自分のアクセスキーの発行・更新+パスワードの変更ができるユーザーが作りたかったのでネットを漁って設定を探した

-グループを作成

-グループに以下のロールをアタッチ
image.png

Allow-mypassword
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "iam:GetAccountPasswordPolicy",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "iam:ChangePassword",
            "Resource": "arn:aws:iam::*:user/${aws:username}"
        }
    ]
}
allow-manage-mfa
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowUsersToCreateDeleteTheirOwnVirtualMFADevices",
            "Effect": "Allow",
            "Action": [
                "iam:*VirtualMFADevice"
            ],
            "Resource": [
                "arn:aws:iam::*:mfa/${aws:username}"
            ]
        },
        {
            "Sid": "AllowUsersToEnableSyncDisableTheirOwnMFADevices",
            "Effect": "Allow",
            "Action": [
                "iam:DeactivateMFADevice",
                "iam:EnableMFADevice",
                "iam:ListMFADevices",
                "iam:ResyncMFADevice"
            ],
            "Resource": [
                "arn:aws:iam::*:user/${aws:username}"
            ]
        },
        {
            "Sid": "AllowUsersToListVirtualMFADevices",
            "Effect": "Allow",
            "Action": [
                "iam:ListVirtualMFADevices"
            ],
            "Resource": [
                "arn:aws:iam::*:mfa/*"
            ]
        },
        {
            "Sid": "AllowUsersToListUsersInConsole",
            "Effect": "Allow",
            "Action": [
                "iam:ListUsers"
            ],
            "Resource": [
                "arn:aws:iam::*:user/*"
            ]
        }
    ]
}
allow-manage-own-credential
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowUsersAllActionsForCredentials",
            "Effect": "Allow",
            "Action": [
                "iam:*LoginProfile",
                "iam:*AccessKey*",
                "iam:*SigningCertificate*"
            ],
            "Resource": [
                "arn:aws:iam::*:user/${aws:username}"
            ]
        },
        {
            "Sid": "AllowUsersToSeeStatsOnIAMConsoleDashboard",
            "Effect": "Allow",
            "Action": [
                "iam:GetAccount*",
                "iam:ListAccount*"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "AllowUsersToListUsersInConsole",
            "Effect": "Allow",
            "Action": [
                "iam:ListUsers"
            ],
            "Resource": [
                "arn:aws:iam::*:user/*"
            ]
        }
    ]
}

まだうまく行くかは試していない(見た目は大丈夫そう)
これから実際に配布して使って貰う予定

→使ってみたらやりたいことは一応できたが、やりたかったECSのクラスター作成がポリシーのアタッチができないのでコケた。のでもう一つポリシーのアタッチをできるポリシーを追加した。

allow-manage-policy
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "iam:Get*",
                "iam:List*",
                "iam:PassRole",
                "iam:CreateRole",
                "iam:CreateInstanceProfile",
                "iam:AddRoleToInstanceProfile",
                "iam:AttachRolePolicy"
            ],
            "Resource": "*"
        }
    ]
}

やりたかったこと、何人かのユーザに個別ユーザでログインさせて、自分のパス変更、MFA設定、アクセスキーの発行をさせて、それからECSのクラスターで色々テストをしてほしかった。

1
3
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
Sign upLogin
1
3