This topic uses an example policy to demonstrate how to authorize a RAM user to manage multi-factor authentication (MFA).

The following policy indicates that the authorized RAM user (alice) can enable and disable MFA devices.

{
   "Statement": [
       {
           "Action": [
               "ram:GetUserMFAInfo",
               "ram:BindMFADevice",
               "ram:UnbindMFADevice"
           ],
           "Resource": "acs:ram:*:*:user/alice",
           "Effect": "Allow"
       },
       {
           "Action": [
               "ram:CreateVirtualMFADevice",
               "ram:DeleteVirtualMFADevice"
           ],
           "Resource": "*",
           "Effect": "Allow"
       }
   ],
   "Version": "1"
}
Note For information about how to authorize a RAM user to manage MFA through the RAM console, see Set a security policy for RAM users.