Closed vutny closed 11 months ago
@bryantbiggs , please have a look. Thanks!
This PR is included in version 5.31.0 :tada:
I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.
Description
This PR corrects IAM Self-manage policy according to example from AWS: Allows MFA-authenticated IAM users to manage their own credentials on the My security credentials page :
iam:GetLoginProfile
andiam:UpdateLoginProfile
actions to be added to theAllowManageOwnPasswords
statement.DenyAllExceptListedIfNoMFA
statement has been corrected to include missingiam:GetMFADevice
permission for own MFA management.iam:ChangePassword
action should not be allowed without MFA authorization if it was enforced. This does not allow a user to create a password at sign-in, the MFA must be created and user must authenticate using it before attempting to change administrator provided password.Motivation and Context
Stay up to date with AWS recommendations for access policies, grant permissions necessary for IAM user selfie-management via AWS Web Console. Make sure if MFA is enforced, it disallows unauthorized password change for IAM user in case of credentials leak.
Breaking Changes
None.
How Has This Been Tested?
examples/*
to demonstrate and validate my change(s)examples/*
projectspre-commit run -a
on my pull request