IAM: Allows IAM users to rotate their own credentials programmatically and in the console - AWS Identity and Access Management

IAM: Allows IAM users to rotate their own credentials programmatically and in the console

This example shows how you might create an IAM policy that allows IAM users to rotate their own access keys, signing certificates, service specific credentials, and passwords. This policy defines permissions for programmatic and console access.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iam:ListUsers", "iam:GetAccountPasswordPolicy" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "iam:*AccessKey*", "iam:ChangePassword", "iam:GetUser", "iam:*ServiceSpecificCredential*", "iam:*SigningCertificate*" ], "Resource": ["arn:aws:iam::*:user/${aws:username}"] } ] }

To learn how a user can change their own password in the console, see How an IAM user changes their own password.