IAM policy where: Users must create new password at sign-in AND can use MFA?

0

Hello, I have new users that must must change their default password at next sign-in. I also want them to set up MFA. However, this seems to create a loop where they're blocked from changing their password unless they're signed in with MFA, and they can't set up MFA until they change their password and log in for the first time.

How to create a policy where new users can get themselves set up?

emmab5
已提问 1 年前564 查看次数
2 回答
1

Hi Emmab5,

I suggest you read these articles:

In particular, you could leverage iam:ChangePassword and MultiFactorAuthPresent condition to achieve change password with mfa enabled.

Hope it helps

profile picture
专家
已回答 1 年前
0

The IAM best practices have been updated. As a best practice, require human users to use federation with an identity provider to access AWS using temporary credentials.

IAM users are to be used only in very limited scenarios where an IAM role cannot be assumed. To learn about using AWS IAM Identity Center (successor to AWS Single Sign-On) to create users with temporary credentials, see Getting started in the AWS IAM Identity Center (successor to AWS Single Sign-On) User Guide.

In a nutshell, turn on AWS Organisations, then set up AWS IAM Identity Center. AWS IAM best practice is to configure federated users and this way, AWS helps you securely manage the administration of user passwords and MFA according to your preferences.

profile pictureAWS
simon
已回答 1 年前
  • Thank you, the documentation notes that this JSON doesn't include text allowing users to change their password. I copy/pasted the IAMUserChangePassword JSON to the top of this but that still didn't work (I removed the obvious conflicts from the Deny sections but I might have missed something). Do you have a JSON example of using MFA and being able to change your password without it?

您未登录。 登录 发布回答。

一个好的回答可以清楚地解答问题和提供建设性反馈,并能促进提问者的职业发展。

回答问题的准则