<Marc Qualie/>

IAM Policy for humans

Configuring IAM is essential for any AWS account. The most common use case is granting access to EC2 instances, or allowing web apps to read/write to S3. While it's not recommended to make any direct changes in the AWS console, it's sometimes helpful to allow humans to browse around and view configurations.

To simplify management of these user accounts, it's helpful to allow individuals to manage their own credentials and configure things like MFA devices. Below is the policy I created as a drop in starting point for allowing any human users to login to the console. Note, this does not grant any access to any resources inside AWS, only for a user to manage their own password, access keys and MFA devices. Permissions for resources still need to be added otherwise the console will be a very boring place.

The easist way to apply this policy to all humans is to create an IAM group called humans. Whenever you wish to allow a user to login the AWS console and manage their own account, simply add them to the humans group.

Allow viewing of account status

Users need to be able to see what their account settings currently are.

{
  "Sid": "AllowViewAccountInfo",
  "Effect": "Allow",
  "Action": [
    "iam:GetAccountPasswordPolicy",
    "iam:GetAccountSummary",
    "iam:GetUser",
    "iam:ListVirtualMFADevices"
  ],
  "Resource": "*"
}

Change Password

A user should be allowed to change their own password without contacting their administrator.

{
  "Sid": "AllowManageOwnPasswords",
  "Effect": "Allow",
  "Action": [
    "iam:ChangePassword"
  ],
  "Resource": "arn:aws:iam::*:user/${aws:username}"
}

Access Key Management

If users want to interact with the AWS APIs, they'll need to generate access keys that inherit their policy permissions.

{
  "Sid": "AllowManageOwnAccessKeys",
  "Effect": "Allow",
  "Action": [
    "iam:CreateAccessKey",
    "iam:DeleteAccessKey",
    "iam:GetAccessKeyLastUsed",
    "iam:ListAccessKeys",
    "iam:UpdateAccessKey"
  ],
  "Resource": "arn:aws:iam::*:user/${aws:username}"
}

Manage MFA

Using MFA (Multi-Factor Authentication) is highly encouraged, so all users should be able to manage their own virtual MFA devices.

{
  "Sid": "AllowManageOwnUserMFA",
  "Effect": "Allow",
  "Action": [
    "iam:DeactivateMFADevice",
    "iam:EnableMFADevice",
    "iam:GetUser",
    "iam:ListMFADevices",
    "iam:ResyncMFADevice"
  ],
  "Resource": "arn:aws:iam::*:user/${aws:username}"
}

Full Policy

The full policy combined is dsiplayed below in full.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowViewAccountInfo",
      "Effect": "Allow",
      "Action": [
        "iam:GetAccountPasswordPolicy",
        "iam:GetAccountSummary",
        "iam:GetUser",
        "iam:ListVirtualMFADevices"
      ],
      "Resource": "*"
    },
    {
      "Sid": "AllowManageOwnPasswords",
      "Effect": "Allow",
      "Action": [
        "iam:ChangePassword"
      ],
      "Resource": "arn:aws:iam::*:user/${aws:username}"
    },
    {
      "Sid": "AllowManageOwnAccessKeys",
      "Effect": "Allow",
      "Action": [
        "iam:CreateAccessKey",
        "iam:DeleteAccessKey",
        "iam:GetAccessKeyLastUsed",
        "iam:ListAccessKeys",
        "iam:UpdateAccessKey"
      ],
      "Resource": "arn:aws:iam::*:user/${aws:username}"
    },
    {
      "Sid": "AllowManageOwnUserMFA",
      "Effect": "Allow",
      "Action": [
        "iam:DeactivateMFADevice",
        "iam:EnableMFADevice",
        "iam:GetUser",
        "iam:ListMFADevices",
        "iam:ResyncMFADevice"
      ],
      "Resource": "arn:aws:iam::*:user/${aws:username}"
    }
  ]
}

If you have any questions about this post, or anything else, you can get in touch on Bluesky or browse my code on Github.