- Newest
- Most votes
- Most comments
Hi Emmab5,
I suggest you read these articles:
- https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_aws_my-sec-creds-self-manage.html.
- https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_aws_my-sec-creds-self-manage-mfa-only.html
In particular, you could leverage iam:ChangePassword and MultiFactorAuthPresent condition to achieve change password with mfa enabled.
Hope it helps
The IAM best practices have been updated. As a best practice, require human users to use federation with an identity provider to access AWS using temporary credentials.
IAM users are to be used only in very limited scenarios where an IAM role cannot be assumed. To learn about using AWS IAM Identity Center (successor to AWS Single Sign-On) to create users with temporary credentials, see Getting started in the AWS IAM Identity Center (successor to AWS Single Sign-On) User Guide.
In a nutshell, turn on AWS Organisations, then set up AWS IAM Identity Center. AWS IAM best practice is to configure federated users and this way, AWS helps you securely manage the administration of user passwords and MFA according to your preferences.
Relevant content
- asked 6 months ago
- asked a year ago
- Accepted Answerasked a year ago
- asked a year ago
AWS OFFICIALUpdated 2 years ago- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
Thank you, the documentation notes that this JSON doesn't include text allowing users to change their password. I copy/pasted the IAMUserChangePassword JSON to the top of this but that still didn't work (I removed the obvious conflicts from the Deny sections but I might have missed something). Do you have a JSON example of using MFA and being able to change your password without it?