How to create a policy to enable Multi-factor Authentication (MFA) for non-Administrator users on Cloud Object Storage powered by Wasabi
Description
By default, Multi-factor Authentication (MFA) cannot be enabled for sub-users without Administrator Access.
Here is the procedure to create a policy to grant access to non-administrator users to MFA Settings.
Procedure
- Login to the Wasabi console using your credentials (using the root account or a sub-user with Administrator Access)
- Go to the Policies section and click on CREATE POLICY.
- Enter a policy name and a policy description
In this example, the policy name is “Enable_MFA_Settings”
- Copy the JSON code below and paste it in the Policy Editor section.
Then, click on CREATE POLICY.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowListActions",
"Effect": "Allow",
"Action": [
"iam:ListUsers",
"iam:ListVirtualMFADevices"
],
"Resource": "*"
},
{
"Sid": "AllowIndividualUserToListOnlyTheirOwnMFA",
"Effect": "Allow",
"Action": "iam:ListMFADevices",
"Resource": [
"arn:aws:iam::*:mfa/*",
"arn:aws:iam::*:user/${aws:username}"
]
},
{
"Sid": "AllowIndividualUserToManageTheirOwnMFA",
"Effect": "Allow",
"Action": [
"iam:CreateVirtualMFADevice",
"iam:DeleteVirtualMFADevice",
"iam:EnableMFADevice",
"iam:ResyncMFADevice"
],
"Resource": [
"arn:aws:iam::*:mfa/${aws:username}",
"arn:aws:iam::*:user/${aws:username}"
]
},
{
"Sid": "AllowIndividualUserToDeactivateOnlyTheirOwnMFAOnlyWhenUsingMFA",
"Effect": "Allow",
"Action": "iam:DeactivateMFADevice",
"Resource": [
"arn:aws:iam::*:mfa/${aws:username}",
"arn:aws:iam::*:user/${aws:username}"
],
"Condition": {
"Bool": {
"aws:MultiFactorAuthPresent": "true"
}
}
}
]
}
5. Assign the policy to desired users or groups.
Please refer to the article on how to create groups and assign policies if needed.