--- # IAM Custom Policy Specification # # List of IAM policy definitions. Custom policies are created in accounts in # which the policy is attached to least one group or delegation role. # # # Each custom policy specification (CPS) has the following attributes: # Name (str): The name of the CPS. # Description (str): The policy description. # Statement (list(dict)): # List of IAM policy statements applied to the CPS. custom_policies: - PolicyName: UserSelfService Description: Allow users to manage their own account and credentials Statement: - Sid: AllowAllUsersToListAccounts Effect: Allow Action: - iam:ListAccountAliases - iam:ListUsers - iam:ListUserPolicies - iam:ListAttachedUserPolicies - iam:GetAccountSummary - iam:ListGroups - iam:ListGroupPolicies - iam:ListAttachedGroupPolicies - iam:GetGroup - iam:GetGroupPolicy - iam:ListMFADevices Resource: "*" - Sid: AllowIndividualUserToSeeAndManageTheirOwnAccountInformation Effect: Allow Action: - iam:ListGroupsForUser - iam:ChangePassword - iam:CreateAccessKey - iam:CreateLoginProfile - iam:DeleteAccessKey - iam:DeleteLoginProfile - iam:GetAccountPasswordPolicy - iam:GetLoginProfile - iam:ListAccessKeys - iam:UpdateAccessKey - iam:UpdateLoginProfile - iam:ListSigningCertificates - iam:DeleteSigningCertificate - iam:UpdateSigningCertificate - iam:UploadSigningCertificate - iam:ListSSHPublicKeys - iam:GetSSHPublicKey - iam:DeleteSSHPublicKey - iam:UpdateSSHPublicKey - iam:UploadSSHPublicKey Resource: arn:aws:iam::*:user/*/${aws:username} - Sid: AllowIndividualUserToListTheirOwnMFA Effect: Allow Action: - iam:ListVirtualMFADevices - iam:ListMFADevices Resource: - arn:aws:iam::*:mfa/* - arn:aws:iam::*:user/*/${aws:username} - Sid: AllowIndividualUserToManageTheirOwnMFA Effect: Allow Action: - iam:CreateVirtualMFADevice - iam:DeactivateMFADevice - iam:DeleteVirtualMFADevice - iam:RequestSmsMfaRegistration - iam:FinalizeSmsMfaRegistration - iam:EnableMFADevice - iam:ResyncMFADevice Resource: - arn:aws:iam::*:mfa/${aws:username} - arn:aws:iam::*:user/*/${aws:username} - Sid: BlockAnyAccessOtherThanAboveUnlessSignedInWithMFA Effect: Deny NotAction: - iam:* Resource: "*" Condition: BoolIfExists: aws:MultiFactorAuthPresent: "false"