Contents x
      Defining a Policy for Sub-Users to Change Passwords and Enable MFA
      • 25 Jun 2024
      • 1 Minute to read
      • Print
      • PDF
      Contents

      Defining a Policy for Sub-Users to Change Passwords and Enable MFA

      • Updated on 25 Jun 2024
      • 1 Minute to read
      • Print
      • PDF
      Article summary

      By default, sub-users on an account do not have permission to change passwords or enable Multi-Factor Authentication (MFA). If a sub-user attempts to change a password or enable MFA, an error message will display.

      A Root account user can define an IAM policy to grant sub-users the ability to change passwords and enable MFA. The policy will not allow sub-users to disable or delete MFA.

      Creating the IAM Policy

      1. You will need your Wasabi account number in the following instructions. To find it, click Users (in the Wasabi menu). On the Users list, note the ARN column. The ARN includes your account number, which is the same for every sub-user under the account. In this example, 100001028168 is the account number:

      2. Click Policies on the Wasabi menu.
      3. Click Create Policy.
      4. Enter a policy name. A list of names may be suggested from which you can select. But, you can enter any name.
      5. Optionally, enter a description.

      6. Copy and paste the following policy content into the Policy Editor.
        {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:GetAccountPasswordPolicy",
"iam:ListVirtualMFADevices"
],
"Resource": "*"
},
{
"Sid": "AllowUserToCreateVirtualMFADevice",
"Effect": "Allow",
"Action": "iam:CreateVirtualMFADevice",
"Resource": [
"arn:aws:iam::AccountNumber:mfa/*",
"arn:aws:iam::AccountNumber:user/${aws:username}"
]
},
{
"Sid": "AllowUserToManageOwnMFA",
"Effect": "Allow",
"Action": [
"iam:EnableMFADevice",
"iam:GetUser",
"iam:ListMFADevices",
"iam:ResyncMFADevice"
],
"Resource": [
"arn:aws:iam::AccountNumber:user/${aws:username}",
"arn:aws:iam::AccountNumber:mfa/*"
]
},
{
"Sid": "AllowUsersToChangePassword",
"Effect": "Allow",
"Action": [
"iam:ChangePassword",
"iam:GetLoginProfile",
"iam:UpdateLoginProfile"
],
"Resource": "arn:aws:iam::AccountNumber:user/${aws:username}"
}
]
}

        Change AccountNumber to match your Wasabi account number. This number is found in the Users list. For example:

      7. When you see a message that the policy is valid, you can click Create Policy to create the new policy.

      Applying the Policy to a Group or Individual Sub-User

      Wasabi recommends that you apply the policy to a group of sub-users.

      1. Click Groups.
      2. Click name of the group to which this policy will apply.
      3. Scroll down and open the Policies drop-down.
      4. In the Search box, enter the policy name to select it.

      To apply the policy to an individual sub-user:

      1. Click Users.
      2. Click name of the sub-user to which this policy will apply.
      3. Scroll down and open the Policies drop-down.
      4. In the Search box, enter the policy name to select it.


      What's Next
      Copyright © 2024 by Wasabi Technologies LLC
      75 Arlington Street, Suite 810, Boston, MA 02116 USA
      All Rights Reserved
      Visit us at https://wasabi.com.
      WASABI and the WASABI logo are trademarks of Wasabi Technologies LLC and may not be used without permission of Wasabi Technologies. All other names are used for identification purposes only and are trademarks or registered trademarks of their respective companies.

      Information presented herein is subject to change without notice. Companies, names, and data used in examples are fictitious unless otherwise noted. No part of this information may be reproduced or transmitted in any form by means electronic or mechanical, for any purpose, without express written permission of Wasabi Technologies.