Defining a Policy for Sub-Users to Change Passwords and Enable MFA
    • 25 Jun 2024
    • 1 Minute to read
    • PDF

    Defining a Policy for Sub-Users to Change Passwords and Enable MFA

    • PDF

    Article summary

    By default, sub-users on an account do not have permission to change passwords or enable Multi-Factor Authentication (MFA). If a sub-user attempts to change a password or enable MFA, an error message will display.

    A Root account user can define an IAM policy to grant sub-users the ability to change passwords and enable MFA. The policy will not allow sub-users to disable or delete MFA.

    Creating the IAM Policy

    1. You will need your Wasabi account number in the following instructions. To find it, click Users (in the Wasabi menu). On the Users list, note the ARN column. The ARN includes your account number, which is the same for every sub-user under the account. In this example, 100001028168 is the account number:

    2. Click Policies on the Wasabi menu.
    3. Click Create Policy.
    4. Enter a policy name. A list of names may be suggested from which you can select. But, you can enter any name.
    5. Optionally, enter a description.

    6. Copy and paste the following policy content into the Policy Editor.
      {
      "Version": "2012-10-17",
      "Statement": [
      {
      "Effect": "Allow",
      "Action": [
      "iam:GetAccountPasswordPolicy",
      "iam:ListVirtualMFADevices"
      ],
      "Resource": "*"
      },
      {
      "Sid": "AllowUserToCreateVirtualMFADevice",
      "Effect": "Allow",
      "Action": "iam:CreateVirtualMFADevice",
      "Resource": [
      "arn:aws:iam::AccountNumber:mfa/*",
      "arn:aws:iam::AccountNumber:user/${aws:username}"
      ]
      },
      {
      "Sid": "AllowUserToManageOwnMFA",
      "Effect": "Allow",
      "Action": [
      "iam:EnableMFADevice",
      "iam:GetUser",
      "iam:ListMFADevices",
      "iam:ResyncMFADevice"
      ],
      "Resource": [
      "arn:aws:iam::AccountNumber:user/${aws:username}",
      "arn:aws:iam::AccountNumber:mfa/*"
      ]
      },
      {
      "Sid": "AllowUsersToChangePassword",
      "Effect": "Allow",
      "Action": [
      "iam:ChangePassword",
      "iam:GetLoginProfile",
      "iam:UpdateLoginProfile"
      ],
      "Resource": "arn:aws:iam::AccountNumber:user/${aws:username}"
      }
      ]
      }

      Change AccountNumber to match your Wasabi account number. This number is found in the Users list. For example:

    7. When you see a message that the policy is valid, you can click Create Policy to create the new policy.

    Applying the Policy to a Group or Individual Sub-User

    Wasabi recommends that you apply the policy to a group of sub-users.

    1. Click Groups.
    2. Click name of the group to which this policy will apply.
    3. Scroll down and open the Policies drop-down.
    4. In the Search box, enter the policy name to select it.

    To apply the policy to an individual sub-user:

    1. Click Users.
    2. Click name of the sub-user to which this policy will apply.
    3. Scroll down and open the Policies drop-down.
    4. In the Search box, enter the policy name to select it.