Ensure that all your Amazon IAM users are allowed to change their own console password. This allows all IAM users within your AWS account access to the "iam:ChangePassword" action for their user only and general access to the "iam:GetAccountPasswordPolicy" action.
This rule can help you work with the AWS Well-Architected Framework.
Allowing Amazon IAM users to change their own console password can reduce the change of IAM user passwords being stolen, loss or misplaced. To follow best practices, before allowing users to change their own password, ensure that your AWS account is configured to enforce a strong password policy for all IAM users. Having a strong, complex password policy in use will significantly reduce the risk of password-guessing methods and brute-force attacks.
Audit
To determine if your AWS password policy allows all IAM users to change their own console password, perform the following operations:
Remediation / Resolution
To ensure that all your Amazon IAM users are allowed to change their own console password, perform the following operations:
References
- AWS Documentation
- FAQs
- IAM users
- Permitting IAM users to change their own passwords
- Setting an account password policy for IAM users
- AWS Command Line Interface (CLI) Documentation
- iam
- get-account-password-policy
- update-account-password-policy
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
Allow IAM Users to Change Their Own Password
Risk Level: High