IAM policy where: Users must create new password at sign-in AND can use MFA?


Hello, I have new users that must must change their default password at next sign-in. I also want them to set up MFA. However, this seems to create a loop where they're blocked from changing their password unless they're signed in with MFA, and they can't set up MFA until they change their password and log in for the first time.

How to create a policy where new users can get themselves set up?

질문됨 일 년 전564회 조회
2개 답변

Hi Emmab5,

I suggest you read these articles:

In particular, you could leverage iam:ChangePassword and MultiFactorAuthPresent condition to achieve change password with mfa enabled.

Hope it helps

profile picture
답변함 일 년 전

The IAM best practices have been updated. As a best practice, require human users to use federation with an identity provider to access AWS using temporary credentials.

IAM users are to be used only in very limited scenarios where an IAM role cannot be assumed. To learn about using AWS IAM Identity Center (successor to AWS Single Sign-On) to create users with temporary credentials, see Getting started in the AWS IAM Identity Center (successor to AWS Single Sign-On) User Guide.

In a nutshell, turn on AWS Organisations, then set up AWS IAM Identity Center. AWS IAM best practice is to configure federated users and this way, AWS helps you securely manage the administration of user passwords and MFA according to your preferences.

profile pictureAWS
답변함 일 년 전
  • Thank you, the documentation notes that this JSON doesn't include text allowing users to change their password. I copy/pasted the IAMUserChangePassword JSON to the top of this but that still didn't work (I removed the obvious conflicts from the Deny sections but I might have missed something). Do you have a JSON example of using MFA and being able to change your password without it?

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠