Force IAM user to change password after first authentication.

Question

To meet some PCI requirements, we need to force users to change their password after first authentication into the aws console. I have tried to search for information about how to do that in AWS, using IAM features, but was not able to find anything, is it possible?

Thanks

Brettski-AWS · Accepted Answer

When you create an IAM user there is a checkbox for `User must create a new password at next sign-in` which does what you want. As an administrator you can enforce that for the next login for existing users as well.

If you're operating in a multi-account environment or are using [AWS Organizations](https://aws.amazon.com/organizations/) then I'd strongly recommend using [IAM Identity Center](https://aws.amazon.com/iam/identity-center/) which gives you the ability to use a central identity provider. Then you can control password policies and other authentication requirements (such as MFA) centrally.

James_S · Answer

When creating a User through the Console, you can specify that they need to change their password when they first log in:

![screenshot of IAM user creation](/media/postImages/original/IMkfnNDkKGT5C4iZ8VEHvjbQ)

If you are creating or updating your Users via the API/CLI, you call the [CreateLoginProfile](https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateLoginProfile.html) or [UpdateLoginProfile](https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateLoginProfile.html) APIs, which both support configuring the User to need to change their password when they first/next log in.

If you are using the CLI, the update command could look like this, for example:

```
aws iam update-login-profile --user-name james --password-reset-required
```

Force IAM user to change password after first authentication.

Relevant content