本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。 # IAM:可讓 IAM 使用者自行管理 MFA 裝置 此範例會示範如何建立身分型政策,允許 IAM 使用者自行管理其[多重要素驗證 (MFA)](id_credentials_mfa.md) 裝置。此政策授予從 AWS API 或 以程式設計方式完成此動作所需的許可 AWS CLI。 **注意** 如果具有此政策的 IAM 使用者未經 MFA 驗證,則此政策會拒絕存取所有 AWS 動作,但使用 MFA 驗證所需的動作除外。如果您為登入的使用者新增這些許可 AWS,他們可能需要登出再重新登入,才能查看這些變更。 ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "AllowListActions", "Effect": "Allow", "Action": [ "iam:ListUsers", "iam:ListVirtualMFADevices" ], "Resource": "*" }, { "Sid": "AllowUserToCreateVirtualMFADevice", "Effect": "Allow", "Action": [ "iam:CreateVirtualMFADevice" ], "Resource": "arn:aws:iam::*:mfa/*" }, { "Sid": "AllowUserToManageTheirOwnMFA", "Effect": "Allow", "Action": [ "iam:EnableMFADevice", "iam:GetMFADevice", "iam:ListMFADevices", "iam:ResyncMFADevice" ], "Resource": "arn:aws:iam::*:user/${aws:username}" }, { "Sid": "AllowUserToDeactivateTheirOwnMFAOnlyWhenUsingMFA", "Effect": "Allow", "Action": [ "iam:DeactivateMFADevice" ], "Resource": [ "arn:aws:iam::*:user/${aws:username}" ], "Condition": { "Bool": { "aws:MultiFactorAuthPresent": "true" } } }, { "Sid": "BlockMostAccessUnlessSignedInWithMFA", "Effect": "Deny", "NotAction": [ "iam:CreateVirtualMFADevice", "iam:EnableMFADevice", "iam:ListMFADevices", "iam:ListUsers", "iam:ListVirtualMFADevices", "iam:ResyncMFADevice" ], "Resource": "*", "Condition": { "BoolIfExists": { "aws:MultiFactorAuthPresent": "false" } } } ] } ``` ------