How to create a policy to enable Multi-factor Authentication (MFA) for non-Administrator users on Cloud Object Storage powered by Wasabi


Description

By default, Multi-factor Authentication (MFA) cannot be enabled for sub-users without Administrator Access.

Graphical user interface, text, application, email

Description automatically generated

Here is the procedure to create a policy to grant access to non-administrator users to MFA Settings.

Procedure

  1. Login to the Wasabi console using your credentials (using the root account or a sub-user with Administrator Access)

    Graphical user interface, application, website

Description automatically generated

  2. Go to the Policies section and click on CREATE POLICY.

    Graphical user interface, application

Description automatically generated

  3. Enter a policy name and a policy description
    In this example, the policy name is “Enable_MFA_Settings”

    Graphical user interface, text, application, email

Description automatically generated

  4. Copy the JSON code below and paste it in the Policy Editor section.


Then, click on CREATE POLICY.

 {

   "Version": "2012-10-17",

   "Statement": [

    {

       "Sid": "AllowListActions",

       "Effect": "Allow",

       "Action": [

         "iam:ListUsers",

         "iam:ListVirtualMFADevices"

       ],

       "Resource": "*"

    },

    {

       "Sid": "AllowIndividualUserToListOnlyTheirOwnMFA",

       "Effect": "Allow",

       "Action": "iam:ListMFADevices",

       "Resource": [

         "arn:aws:iam::*:mfa/*",

         "arn:aws:iam::*:user/${aws:username}"

      ]

    },

    {

       "Sid": "AllowIndividualUserToManageTheirOwnMFA",

       "Effect": "Allow",

       "Action": [

         "iam:CreateVirtualMFADevice",

         "iam:DeleteVirtualMFADevice",

         "iam:EnableMFADevice",

         "iam:ResyncMFADevice"

       ],

       "Resource": [

         "arn:aws:iam::*:mfa/${aws:username}",

         "arn:aws:iam::*:user/${aws:username}"

      ]

    },

    {

       "Sid": "AllowIndividualUserToDeactivateOnlyTheirOwnMFAOnlyWhenUsingMFA",

       "Effect": "Allow",

       "Action": "iam:DeactivateMFADevice",

       "Resource": [

         "arn:aws:iam::*:mfa/${aws:username}",

         "arn:aws:iam::*:user/${aws:username}"

       ],

       "Condition": {

         "Bool": {

           "aws:MultiFactorAuthPresent": "true"

         }

      }

    }

  ]

}



Graphical user interface, text, application

Description automatically generated


5. Assign the policy to desired users or groups.

Please refer to the article on how to create groups and assign policies if needed.