awslabs#253 Updated boundary policy for breakglassuser

CesiumGS · Dec 20, 2022 · d39e4b5 · d39e4b5
1 parent fecec54
commit d39e4b5
Showing 1 changed file with 27 additions and 32 deletions.
diff --git a/reference/sample-configurations/aws-best-practices/iam-policies/boundary-policy.json b/reference/sample-configurations/aws-best-practices/iam-policies/boundary-policy.json
@@ -1,35 +1,30 @@
 {
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Effect": "Allow",
-      "Action": "*",
-      "Resource": "*"
-    },
-    {
-      "Effect": "Deny",
-      "NotAction": [
-        "iam:CreateVirtualMFADevice",
-        "iam:DeleteVirtualMFADevice",
-        "iam:ListVirtualMFADevices",
-        "iam:EnableMFADevice",
-        "iam:ResyncMFADevice",
-        "iam:ListAccountAliases",
-        "iam:ListUsers",
-        "iam:ListSSHPublicKeys",
-        "iam:ListAccessKeys",
-        "iam:ListServiceSpecificCredentials",
-        "iam:ListMFADevices",
-        "iam:GetAccountSummary",
-        "sts:GetSessionToken"
-      ],
-      "Resource": "*",
-      "Condition": {
-        "Bool": {
-          "aws:MultiFactorAuthPresent": "false",
-          "aws:ViaAWSService": "false"
+    "Version": "2012-10-17",
+    "Statement": [
+      {
+        "Effect": "Allow",
+        "Action": "*",
+        "Resource": "*"
+      },
+      {
+        "Effect": "Deny",
+        "NotAction": [
+          "iam:ChangePassword",
+          "iam:Getuser",
+          "iam:ListMFADevices",
+          "iam:CreateVirtualMFADevice",
+          "iam:EnableMFADevice",
+          "iam:ResyncMFADevice",
+          "iam:DeactivateMFADevice",
+          "iam:ListUsers"
+        ],
+        "Resource": "*",
+        "Condition": {
+          "Bool": {
+            "aws:MultiFactorAuthPresent": "false"
+          }
         }
       }
-    }
-  ]
-}
+    ]
+  }
+