Select your cookie preferences

We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics, so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can choose “Customize” or “Decline” to decline performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To accept or decline all non-essential cookies, choose “Accept” or “Decline.” To make more detailed choices, choose “Customize.”

AWS: Allows IAM users to change their own console password on the Security credentials page

Focus mode
AWS: Allows IAM users to change their own console password on the Security credentials page - AWS Identity and Access Management

This example shows how you might create an identity-based policy that allows IAM users to change their own AWS Management Console password on the Security credentials page. This AWS Management Console page displays account and user information, but the user can only access their own password. To allow users to manage all of their own credentials with MFA, see AWS: Allows MFA-authenticated IAM users to manage their own credentials on the Security credentials page. To allow users to manage their own credentials without using MFA, see AWS: Allows IAM users to manage their own credentials on the Security credentials page.

To learn how users can access the Security credentials page, see How IAM users change their own password (console).

What does this policy do?

  • The ViewAccountPasswordRequirements statement allows the user to view the account password requirements while changing their own IAM user password.

  • The ChangeOwnPassword statement allows the user to change their own password. This statement also includes the GetUser action, which is required to view most of the information on the My security credentials page.

This policy does not allow users to view the Users page in the IAM console or use that page to access their own user information. To allow this, add the iam:ListUsers action to the ViewAccountPasswordRequirements statement. It also does not allow users to change their password on their own user page. To allow this, add the iam:GetLoginProfile and iam:UpdateLoginProfile actions to the ChangeOwnPasswords statement.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "ViewAccountPasswordRequirements", "Effect": "Allow", "Action": "iam:GetAccountPasswordPolicy", "Resource": "*" }, { "Sid": "ChangeOwnPassword", "Effect": "Allow", "Action": [ "iam:GetUser", "iam:ChangePassword" ], "Resource": "arn:aws:iam::*:user/${aws:username}" } ] }
PrivacySite termsCookie preferences
© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.