Menu
AWS Identity and Access Management
User Guide

Managing Passwords for IAM Users

IAM users who use the AWS Management Console to work with your AWS resources must have a password in order to sign in. You can create, change, or delete a password for an IAM user in your AWS account.

After you have assigned a password to a user, the user can sign in to the AWS Management Console using the sign-in URL for your account, which looks like this:

https://12-digit-AWS-account-ID or alias.signin.aws.amazon.com/console

For more information about how IAM users sign in to the AWS Management Console, see The IAM Console and the Sign-in Page.

In addition to manually creating individual passwords for your IAM users, you can create a password policy that applies to all IAM user passwords in your AWS account. You can use a password policy to do these things:

  • Set a minimum password length.

  • Require specific character types, including uppercase letters, lowercase letters, numbers, and non-alphanumeric characters. Be sure to remind your users that passwords are case sensitive.

  • Allow all IAM users to change their own passwords.

    Note

    When you allow your IAM users to change their own passwords, IAM automatically allows them to view the password policy. IAM users need permission to view the account's password policy in order to create a password that complies with the policy.

  • Require IAM users to change their password after a specified period of time (enable password expiration).

  • Prevent IAM users from reusing previous passwords.

  • Force IAM users to contact an account administrator when the user has allowed his or her password to expire.

For information about managing your account's password policy, see Setting an Account Password Policy for IAM Users.

Even if your users have their own passwords, they still need permissions to access your AWS resources. By default, a user has no permissions. To give your users the permissions they need, you assign policies to them or to the groups they belong to. For information about creating users and groups, see Identities (Users, Groups, and Roles). For information about using policies to set permissions, see Changing Permissions for an IAM User.

You can grant users permission to change their own passwords. For more information, see Permitting IAM Users to Change Their Own Passwords. For information about how users access your account sign-in page, see The IAM Console and the Sign-in Page.

Creating, Changing, or Deleting an IAM User Password (AWS Management Console)

You can use the AWS Management Console to manage passwords for your IAM users.

To use the console to set a password for an IAM user

  1. Sign in to the Identity and Access Management (IAM) console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, choose Users.

  3. Choose the name of the user whose password you want to create.

  4. Choose the Security Credentials tab, and then under Sign-in Credentials, choose Manage password next to Console password.

  5. In the Manage console access dialog box, for Console access choose Enable if not already selected. If console access is disabled, then no password is needed.

  6. For Set password, choose whether to have IAM generate a password or create a custom password:

    • To have IAM generate a password, choose Autogenerated password.

    • To create a custom password, choose Custom password, and type the password.

      Note

      The password that you create must meet the account's password policy, if one is currently set.

  7. To require the user to create a new password when signing in, choose Require password reset. Then choose Apply.

    Important

    If you select the Require password reset option, make sure the user has permission to change his or her password. For more information, see Permitting IAM Users to Change Their Own Passwords.

  8. If you choose the option to autogenerate a password, choose Show in the New password dialog box. This lets you view the password so you can share it with the user.

    Important

    For security reasons, you cannot access the password after completing this step, but you can create a new password at any time.

To delete an IAM user's password using the console

Deleting a password for an IAM user removes that user's ability to use the AWS Management Console.

  1. Sign in to the Identity and Access Management (IAM) console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, choose Users.

  3. Choose the name of the user whose password you want to delete.

  4. Choose the Security Credentials tab, and then under Sign-in Credentials, choose Manage password next to Console password.

  5. For Console access, choose Disable, and then choose Apply.

  6. Important

    When you remove a user's password, the user can no longer sign in to the AWS Management Console. If the user has active access keys, they continue to function and allow access through the AWS CLI, Tools for Windows PowerShell, or AWS API function calls.

Creating, Changing, or Deleting an IAM User Password (AWS CLI, Tools for Windows PowerShell, and AWS API)

To manage passwords for IAM users, use the following commands:

To create a password

To determine whether a user has a password

To determine when a user's password was last used

To change a user's password

To delete a user's password

Note

If you use the AWS CLI, Tools for Windows PowerShell, or AWS API to delete a user from your AWS account, you must first delete the password as a separate step in the process of removing the user. For more information, see Deleting an IAM User (AWS CLI and Tools for Windows PowerShell).