This IAM policy enables individual users to manage their own account information, including passwords, access keys, and multi-factor authentication (MFA). It allows users to list accounts, manage their own credentials, and manage their own MFA devices. This policy enhances security by allowing users to control their own security settings within the AWS environment.

IAM Policy JSON

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowAllUsersToListAccounts",
            "Effect": "Allow",
            "Action": [
                "iam:ListAccountAliases",
                "iam:ListUsers",
                "iam:ListRoles",
                "iam:GetAccountPasswordPolicy",
                "iam:GetAccountSummary"
            ],
            "Resource": "*"
        },
        {
            "Sid": "AllowIndividualUserToSeeAndManageTheirOwnAccountInformation",
            "Effect": "Allow",
            "Action": [
                "iam:ChangePassword",
                "iam:CreateAccessKey",
                "iam:CreateLoginProfile",
                "iam:DeleteAccessKey",
                "iam:DeleteLoginProfile",
                "iam:GetLoginProfile",
                "iam:ListAccessKeys",
                "iam:UpdateAccessKey",
                "iam:UpdateLoginProfile",
                "iam:ListSigningCertificates",
                "iam:DeleteSigningCertificate",
                "iam:UpdateSigningCertificate",
                "iam:UploadSigningCertificate",
                "iam:ListSSHPublicKeys",
                "iam:GetSSHPublicKey",
                "iam:DeleteSSHPublicKey",
                "iam:UpdateSSHPublicKey",
                "iam:UploadSSHPublicKey"
            ],
            "Resource": "arn:aws:iam::xxxxxxxxxxxx:user/${aws:username}"
        },
        {
            "Sid": "AllowIndividualUserToListTheirOwnMFA",
            "Effect": "Allow",
            "Action": [
                "iam:ListVirtualMFADevices",
                "iam:ListMFADevices"
            ],
            "Resource": [
                "arn:aws:iam::xxxxxxxxxxxx:mfa/*",
                "arn:aws:iam::xxxxxxxxxxxx:user/${aws:username}"
            ]
        },
        {
            "Sid": "AllowIndividualUserToManageTheirOwnMFA",
            "Effect": "Allow",
            "Action": [
                "iam:CreateVirtualMFADevice",
                "iam:DeactivateMFADevice",
                "iam:DeleteVirtualMFADevice",
                "iam:RequestSmsMfaRegistration",
                "iam:FinalizeSmsMfaRegistration",
                "iam:EnableMFADevice",
                "iam:ResyncMFADevice"
            ],
            "Resource": [
                "arn:aws:iam::xxxxxxxxxxxx:mfa/${aws:username}",
                "arn:aws:iam::xxxxxxxxxxxx:user/${aws:username}"
            ]
        }
    ]
}

Explanation

This policy is structured to provide a balance between allowing users to manage their own security settings and maintaining overall account security. The policy includes statements that:

• Allow all users to list account information such as users, roles, and password policies.
• Allow individual users to manage their own account information, including changing passwords and managing access keys.
• Allow individual users to list and manage their own MFA devices.

Use Cases

This policy is useful in organizations where:

• Users are responsible for managing their own security credentials.
• There is a need to reduce the administrative burden of managing user credentials.
• Users require the ability to manage their own MFA devices for enhanced security.

Additional Resources

• AWS Documentation on Changing User Passwords
• AWS Documentation on Managing Access Keys
• AWS Documentation on Multi-Factor Authentication