AWS Identity and Access Management
User Guide

IAM: Allows IAM Users to Rotate Their Own Credentials Programmatically and in the Console

This example shows how you might create a policy that allows IAM users to rotate their own access keys, signing certificates, service specific credentials, and passwords. This policy also provides the permissions necessary to complete this action in the console.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iam:ListUsers", "iam:GetAccountPasswordPolicy" ], "Resource": "*", { "Effect": "Allow", "Action": [ "iam:*AccessKey*", "iam:ChangePassword", "iam:GetUser", "iam:*ServiceSpecificCredential*", "iam:*SigningCertificate*" ], "Resource": [ "arn:aws:iam::*:user/${aws:username}" ] } ] }

To learn how a user can change their own password in the console, see How IAM Users Change Their Own Password.