Menu
AWS Identity and Access Management
User Guide

Managing Passwords for IAM Users

IAM users who work with your AWS resources from the AWS Management Console must have a password in order to sign in. You can create, change, or delete a password for an IAM user in your AWS account.

After you have assigned a password to a user, the user can sign in to the AWS Management Console using the sign-in URL for your account, which looks like this:

https://12-digit-AWS-account-ID.signin.aws.amazon.com/console

For more information about how IAM users sign in to the AWS Management Console, see The IAM Console and the Sign-in Page.

In addition to manually creating individual passwords for your IAM users, you can create a password policy that applies to all IAM user passwords in your AWS account. You can use a password policy to do these things:

  • Set a minimum password length.

  • Require specific character types, including uppercase letters, lowercase letters, numbers, and non-alphanumeric characters. Be sure to remind your users that passwords are case sensitive.

  • Allow all IAM users to change their own passwords.

    Note

    When you allow your IAM users to change their own passwords, IAM automatically allows them to view the password policy. IAM users need permission to view the account's password policy in order to create a password that complies with the policy.

  • Require IAM users to change their password after a specified period of time (enable password expiration).

  • Prevent IAM users from reusing previous passwords.

  • Force IAM users to contact an account administrator when the user has allowed his or her password to expire.

For information about managing your account's password policy, see Setting an Account Password Policy for IAM Users.

Even if your users have their own passwords, they still need permissions to access your AWS resources. By default, a user has no permissions. To give your users the permissions they need, you assign policies to them or to the groups they belong to. For information about creating users and groups, see Identities (Users, Groups, and Roles). For information about using policies to set permissions, see Access Management.

You can grant users permission to change their own passwords. For more information, see Permitting IAM Users to Change Their Own Passwords. For information about how users access your account sign-in page, see The IAM Console and the Sign-in Page.

Creating, Changing, or Deleting an IAM User Password (AWS Management Console)

You can use the AWS Management Console to manage passwords for your IAM users.

To use the console to set a password for an IAM user that currently has no password

  1. Sign in to the Identity and Access Management (IAM) console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, choose Users.

  3. Choose the name of the user whose password you want to create.

  4. Choose the Security Credentials tab, and then choose Manage Password.

  5. Choose whether to create a custom password or to have IAM generate a password:

    • To create a custom password, select Assign a custom password, and type the password.

      Note

      The password that you create must meet the account's password policy, if one is currently set.

    • To have IAM generate a password, select Assign an auto-generated password.

    To require the user to create a new password when he or she signs in, select Require user to change password at next sign-in, and then choose Apply.

    Important

    If you select the Require user to change password at next sign-in option, make sure the user has permission to change his or her password. For more information, see Permitting IAM Users to Change Their Own Passwords.

  6. If you choose the option to auto-generate a password, choose Download Credentials to save the password as a CSV file to your computer.

    Important

    For security reasons, you cannot access the password after completing this step, but you can create a new password at any time.

To use the console to change an IAM user's password

  1. Sign in to the Identity and Access Management (IAM) console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, choose Users.

  3. Choose the name of the user whose password you want to change.

  4. Choose the Security Credentials tab, and then choose Manage Password.

  5. Choose whether to replace the existing password with a custom password or to have IAM generate a new password:

    • To create a custom password, choose Replace existing password with new custom password, and then type the password.

      Note

      The password that you create must meet the account's password policy, if one is currently set.

    • To have IAM generate a password, choose Replace existing password with new auto-generated password.

    To require users to create a new password when they sign in, select Require user to change password at next sign-in, and then choose Apply.

    Important

    If you select Require user to change password at next sign-in, make sure the user has permission to change his or her password. For more information, see Permitting IAM Users to Change Their Own Passwords.

  6. If you selected the option to auto-generate a password, choose Download Credentials to save the password as a CSV file to your computer.

    Important

    You will not be able to access the password again after completing this step, but you can create a new password at any time.

To delete an IAM user's password using the console

  1. Sign in to the Identity and Access Management (IAM) console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, choose Users.

  3. Choose the name of the user whose password you want to delete.

  4. Choose the Security Credentials tab, and then choose Manage Password.

  5. Choose Remove existing password, and then choose Apply.

    Important

    When you remove a user's password, the user cannot sign in to the AWS Management Console. If the user has active access keys, they continue to function and allow access through the AWS CLI, Tools for Windows PowerShell, or AWS API function calls.

Creating, Changing, or Deleting an IAM User Password (AWS CLI, Tools for Windows PowerShell, and AWS API)

To manage passwords for IAM users, use the following commands:

To create a password

To determine whether a user has a password

To determine when a user's password was last used

To change a user's password

To delete a user's password

Note

If you use the AWS CLI, Tools for Windows PowerShell, or AWS API to delete a user from your AWS account, you must first delete the password as a separate step in the process of removing the user. For more information, see Deleting an IAM User (AWS CLI and Tools for Windows PowerShell).