By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

How to support expired password change with an IP restriction (user should be on a VPN)?

0

We currently have explicit denies policies to prevent our IAM users to do any action unless they are logged into our VPN via an IP address list restriction.

The issue is that in the case an user would let his / her password expire, then this user will be forced by AWS to change it at the next login attempt: in that case, the API call to AWS to effectively change the password will be performed from AWS itself on behalf of the user, which of course is not logged on our VPN and therefore does not match the IP address list restriction.

The only workaround so far is to create another role lifting this VPN restriction just for this use-case, assigned to users temporarily just to give them the time to change their password. On top of bring overhead, it creates risk if the assignment back to the secure VPN-restricted role is not done.

Any hint to a more elegant / better solution?

Thanks

Topics
Security, Identity, & ComplianceManagement & Governance
Tags
AWS Identity and Access ManagementAWS Management Console
Language
English
rePost-User-4299324
asked a year ago56 views
No Answers

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content