Renaming Users and Groups

Administrators in your AWS account are probably the only types of users who will have permission to rename users and groups (or change their paths). To understand why, think of changing the name or path of a user or group as a "move" operation. Whoever wants to rename the user or group needs to have permission to do it on both sides of the "move."

For example, let's say a user is changing from one division in the company to another. You need to change the user's path from /division_abc/ to /division_efg/. So, you need permission to remove the user from /division_abc/, and you need permission to put the user into /division_efg/. Effectively this means you need permission to call UpdateUser on both arn:aws:iam::123456789012:user/division_abc/* and arn:aws:iam::123456789012:user/division_efg/*. It's possible that the only people within the organization who have that type of permission are administrators.

You must use the IAM CLI or API to change a user's name. When you change a user's name or path, the following happens:

In addition, any policies that refer to the user as the principal (the user being granted access) are automatically updated to use the new name or path. For example, any queue-based policies in the Amazon SQS system that give the user access to a particular queue are automatically updated to use the new name and path. Amazon S3 bucket policies are also automatically updated.

However, we do not automatically update policies that refer to the user as a resource to use the new name or path; you must manually do that. For example, let's say Bob has a policy attached to him that lets him manage his security credentials. If an administrator renames Bob to Robert, the admin also needs to update that policy to change the resource from arn:aws:iam::123456789012:user/division_abc/subdivision_xyz/Bob to arn:aws:iam::123456789012:user/division_abc/subdivision_xyz/Robert. This is also true if the admin changes the path; the admin needs to update the policy to reflect the new path for the user.

You can use the AWS Management Console to change a group's name, or you can use the IAM CLI or API.

When you change a group's name or path, the following happens:

We do not automatically update policies that refer to the group as a resource to use the new name; you must manually do that. For example, let's say Bob is the manager of the testing part of the organization, and he has a policy attached to him that lets him use UpdateGroup specifically with the Test group (to add and remove users). Let's say that an admin changes the name of the group to Test_1 (or changes the path for the group). The admin also needs to update the policy attached to Bob to use the new name (or new path) so that Bob can continue to add and remove users from the group.