- 30 Apr 2024
- Print
- PDF
Defining a Policy for Sub-Users to Change Passwords and Enable MFA
- Updated on 30 Apr 2024
- Print
- PDF
By default, sub-users on an account do not have permission to change passwords or enable Multi-Factor Authentication (MFA). If a sub-user attempts to change a password or enable MFA, an error message will display.
A Root account user can define an IAM policy to grant sub-users the ability to change passwords and enable MFA. The policy will not allow sub-users to disable or delete MFA.
Creating the IAM Policy
Click Policies on the Wasabi menu.
Click the Create Policy button.
Enter a policy name. A list of names may be suggested from which you can select. But, you can enter any name.
Optionally, enter a description.
Copy and paste the following policy content into the Policy Editor.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iam:GetAccountPasswordPolicy", "iam:ListVirtualMFADevices" ], "Resource": "*" }, { "Sid": "AllowUserToCreateVirtualMFADevice", "Effect": "Allow", "Action": "iam:CreateVirtualMFADevice", "Resource": [ "arn:aws:iam::AccountNumber:mfa/*", "arn:aws:iam::AccountNumber:user/${aws:username}" ] }, { "Sid": "AllowUserToManageOwnMFA", "Effect": "Allow", "Action": [ "iam:EnableMFADevice", "iam:GetUser", "iam:ListMFADevices", "iam:ResyncMFADevice" ], "Resource": [ "arn:aws:iam::AccountNumber:user/${aws:username}", "arn:aws:iam::AccountNumber:mfa/*" ] }, { "Sid": "AllowUsersToChangePassword", "Effect": "Allow", "Action": [ "iam:ChangePassword", "iam:GetLoginProfile", "iam:UpdateLoginProfile" ], "Resource": "arn:aws:iam::AccountNumber:user/${aws:username}" } ] }
Change AccountNumber to match your Wasabi account number. This number is found in the Users section (of the Wasabi menu) and is the same for every sub-user under the account. For example:
When you see a message that the policy is valid, you can click Create Policy to create the new policy.
Applying the Policy to a Group or Individual Sub-User
Wasabi recommends that you apply the policy to a group of sub-users.
Click Groups.
Click name of the group to which this policy will apply.
Scroll down and open the Policies drop-down.
In the Search box, enter the policy name to select it.
To apply the policy to an individual sub-user:
Click Users.
Click name of the sub-user to which this policy will apply.
Scroll down and open the Policies drop-down.
In the Search box, enter the policy name to select it.