How do I allow sub-users to change passwords and enable MFA?

Table of Contents:

1. Introduction

2. IAM policy that allows sub-users to change passwords and enable MFA

3. Screenshots from policy testing

3.1 Screenshots from before policy was implemented

3.2 Screenshots with policy

1. Introduction

By default, sub-users on an account do not have permissions to change their passwords or to enable Multi-Factor Authentication (MFA).  This article gives an example IAM policy that can be implemented by the account's root user to allow sub-users to have this capability.  It does not allow sub-users to disable or delete MFA.  

2. IAM policy that allows sub-users to change passwords and enable MFA

An account's root user can implement this policy in the Wasabi console by clicking on Policies, then Create Policy.  Give the policy a name, then copy and paste the policy below into the Policy Document text box.  Change AccountNumber to match your Wasabi account number (this may be found in the Users section of the console and is the same for every sub-user under the same account).  Then click on Create Policy.  

Apply this policy to a group of sub-users.  Click on Groups, then click on the group name this policy will be applied to.  Scroll down and click on Policies, then click on the Search box and select the policy that was created. 

Note:  This policy may instead be applied to individual sub-users, but it is recommended to apply it to sub-user groups.  

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:GetAccountPasswordPolicy",
"iam:ListVirtualMFADevices"
],
"Resource": "*"
},
{
"Sid": "AllowUserToCreateVirtualMFADevice",
"Effect": "Allow",
"Action": "iam:CreateVirtualMFADevice",
"Resource": [
"arn:aws:iam::AccountNumber:mfa/*",
"arn:aws:iam::AccountNumber:user/${aws:username}"
]
},
{
"Sid": "AllowUserToManageOwnMFA",
"Effect": "Allow",
"Action": [
"iam:EnableMFADevice",
"iam:GetUser",
"iam:ListMFADevices",
"iam:ResyncMFADevice"
],
"Resource": [
"arn:aws:iam::AccountNumber:user/${aws:username}",
"arn:aws:iam::AccountNumber:mfa/*"
]
},
{
"Sid": "AllowUsersToChangePassword",
"Effect": "Allow",
"Action": [
"iam:ChangePassword",
"iam:GetLoginProfile",
"iam:UpdateLoginProfile"
],
"Resource": "arn:aws:iam::AccountNumber:user/${aws:username}"
}
]
}

3. Screenshots from policy testing

3.1 Screenshots from before policy was implemented

The following screenshots show what happens before the policy in Section 2 has been implemented.  Sub-users get an error when trying to change their password or trying to enable MFA.

Password_error_without_policy.png

MFA_error_without_policy.png

3.2 Screenshots with policy

The following screenshots are from after the policy in Section 2 was implemented.  Sub-users are able to change their passwords and enable MFA.

password_change_allowed_with_policy.pngmfa_enable_allowed_with_policy.png

Have more questions? Submit a request