IAM Policy define what can we access(Resource), which operation(Action), Allow/Deny(Effect) in a policy add Condition as necessary { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:Get*" ], "Resource": [ "arn:aws:s3:::test-data”, “arn:aws:s3:::test-data/*" ], "Condition": {"Bool": {"aws:MultiFactorAuthPresent": "true"}} } ] } Data in a ‘test-data’ S3 bucket Operations beginning with Get. Allow MFA is enabled