Force IAM user to change password after first authentication.


To meet some PCI requirements, we need to force users to change their password after first authentication into the aws console. I have tried to search for information about how to do that in AWS, using IAM features, but was not able to find anything, is it possible?


2 Answers
Accepted Answer

When you create an IAM user there is a checkbox for User must create a new password at next sign-in which does what you want. As an administrator you can enforce that for the next login for existing users as well.

If you're operating in a multi-account environment or are using AWS Organizations then I'd strongly recommend using IAM Identity Center which gives you the ability to use a central identity provider. Then you can control password policies and other authentication requirements (such as MFA) centrally.

profile pictureAWS
answered a year ago
profile picture
reviewed 10 days ago
profile pictureAWS
reviewed a year ago

When creating a User through the Console, you can specify that they need to change their password when they first log in:

screenshot of IAM user creation

If you are creating or updating your Users via the API/CLI, you call the CreateLoginProfile or UpdateLoginProfile APIs, which both support configuring the User to need to change their password when they first/next log in.

If you are using the CLI, the update command could look like this, for example:

aws iam update-login-profile --user-name james --password-reset-required
profile pictureAWS
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions