We currently have explicit denies policies to prevent our IAM users to do any action unless they are logged into our VPN via an IP address list restriction.
The issue is that in the case an user would let his / her password expire, then this user will be forced by AWS to change it at the next login attempt: in that case, the API call to AWS to effectively change the password will be performed from AWS itself on behalf of the user, which of course is not logged on our VPN and therefore does not match the IP address list restriction.
The only workaround so far is to create another role lifting this VPN restriction just for this use-case, assigned to users temporarily just to give them the time to change their password. On top of bring overhead, it creates risk if the assignment back to the secure VPN-restricted role is not done.
Any hint to a more elegant / better solution?
Thanks
