Menu
AWS Identity and Access Management
User Guide

Permitting IAM Users to Change Their Own Passwords

You can grant IAM users the permission to change their own passwords for signing in to the AWS Management Console. You can do this in one of two ways:

Important

We recommend that you set a password policy so that users create strong passwords.

To allow all IAM users change their own passwords

  1. Sign in to the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, click Account Settings.

  3. In the Password Policy section, select Allow users to change their own password, and then click Apply Password Policy.

  4. Point users to the following instructions that show how they can change their passwords: How IAM Users Change Their Own Password.

For information about the AWS CLI, Tools for Windows PowerShell, and API commands that you can use to change the account's password policy (which includes letting all users change their own passwords), see Setting a Password Policy (AWS CLI, Tools for Windows PowerShell, or AWS API).

To allow selected IAM users change their own passwords

  1. Sign in to the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, click Account Settings.

  3. In the Account Settings section, make sure that Allow users to change their own password is not selected. If this check box is selected, all users can change their own passwords. (See the previous procedure.)

  4. Create the users who should be able to change their own password, if they do not already exist. For details, see Creating an IAM User in Your AWS Account.

  5. Create an IAM group for the users who should be allowed to change their passwords, and then add the users from the previous step to the group. For details, see Creating Your First IAM Admin User and Group and Managing IAM Groups.

    This step is optional, but it's a best practice to use groups to manage permissions so that you can add and remove users and change the permissions for the group as a whole.

  6. Assign the following policy to the group. For details, see Working with Policies.

    Copy
    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "iam:GetAccountPasswordPolicy", "Resource": "*" }, { "Effect": "Allow", "Action": "iam:ChangePassword", "Resource": "arn:aws:iam::account-id-without-hyphens:user/${aws:username}" } ] }

    This policy grants access to the ChangePassword action, which lets users change only their own passwords from the console, the AWS CLI, Tools for Windows PowerShell, or the API. It also grants access to the GetAccountPasswordPolicy action, which lets the user view the current password policy; this permission is required so that the user can display the Change Password page in the console. The user must be able to read the current password policy to ensure the changed password meets the requirements of the policy.

  7. Point users to the following instructions that show how they can change their passwords: How IAM Users Change Their Own Password.

For More Information

For more information on managing credentials, see the following topics: