This topic uses an example policy to demonstrate how to authorize a RAM user to manage multi-factor authentication (MFA).
The following policy indicates that the authorized RAM user (alice
) can enable and disable MFA devices.
{
"Statement": [
{
"Action": [
"ram:GetUserMFAInfo",
"ram:BindMFADevice",
"ram:UnbindMFADevice"
],
"Resource": "acs:ram:*:*:user/alice",
"Effect": "Allow"
},
{
"Action": [
"ram:CreateVirtualMFADevice",
"ram:DeleteVirtualMFADevice"
],
"Resource": "*",
"Effect": "Allow"
}
],
"Version": "1"
}
Note For information about how to authorize a RAM user to manage MFA through the RAM console,
see Set a security policy for RAM users.