Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions,
see Getting Started with Amazon Web Services in China
(PDF).
Permit IAM users to change
their own passwords
Users with federated identities will use the process defined by their identity provider to change their
passwords. As a best practice, require human users to use federation with an identity provider
to access Amazon using temporary credentials.
You can grant IAM users the permission to change their own passwords for signing in to the
Amazon Web Services Management Console. You can do this in one of two ways:
To allow all IAM users change their own passwords
Choose the tab for the procedure you want to follow:
- IAM console
-
Sign in to the Amazon Web Services Management Console and open the IAM console at https://console.amazonaws.cn/iam/.
-
In the navigation pane, click Account settings.
-
In the Password policy section, choose
Edit.
-
Choose Custom to use a custom password policy.
-
Select Allow users to change their own password, and then choose
Save changes. This allows all users in the account access to the
iam:ChangePassword
action for only their user and to the
iam:GetAccountPasswordPolicy
action.
-
Provide users with the following instructions for changing their passwords: How an IAM user changes their own
password.
- Amazon CLI
-
Run the following command:
- API
-
To create an alias for your Amazon Web Services Management Console
sign-in page URL, call the following operation:
To allow selected IAM users change their own passwords
Choose the tab for the procedure you want to follow:
- IAM console
-
Sign in to the Amazon Web Services Management Console and open the IAM console at https://console.amazonaws.cn/iam/.
-
In the navigation pane, click Account settings.
-
In the Password policy section, make sure that Allow
users to change their own password is not selected. If this check box is
selected, all users can change their own passwords. (See the previous procedure.)
-
Create the users who should be allowed to change their own password, if they do not
already exist. For details, see Create an IAM user in your Amazon Web Services account.
-
(Optional) Create an IAM group for the users who should be allowed to change their
passwords, and then add the users from the previous step to the group. For details, see
IAM user groups.
-
Assign the following policy to the group. For more information, see Manage IAM policies.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iam:GetAccountPasswordPolicy",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "iam:ChangePassword",
"Resource": "arn:aws-cn:iam::*:user/${aws:username}"
}
]
}
This policy grants access to the ChangePassword action, which lets users change only their own passwords from the
console, the Amazon CLI, Tools for Windows PowerShell, or the API. It also grants access to the GetAccountPasswordPolicy
action, which lets the user view the current password policy; this permission is required so
that the user can view the account password policy on the Change
password page. The user must be allowed to read the current password policy to
ensure that the changed password meets the requirements of the policy.
-
Provide users with the following instructions for changing their passwords: How an IAM user changes their own
password.
For more information
For more information on managing credentials, see the following topics: