Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Allow IAM Users to Change Their Own Password

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)

Ensure that all your Amazon IAM users are allowed to change their own console password. This allows all IAM users within your AWS account access to the "iam:ChangePassword" action for their user only and general access to the "iam:GetAccountPasswordPolicy" action.

This rule can help you work with the AWS Well-Architected Framework.

Security

Allowing Amazon IAM users to change their own console password can reduce the change of IAM user passwords being stolen, loss or misplaced. To follow best practices, before allowing users to change their own password, ensure that your AWS account is configured to enforce a strong password policy for all IAM users. Having a strong, complex password policy in use will significantly reduce the risk of password-guessing methods and brute-force attacks.

Audit

To determine if your AWS password policy allows all IAM users to change their own console password, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon IAM console available at https://console.aws.amazon.com/iam/.

03 In the main navigation panel, under Access management, select Account settings.

04 In the Password policy section, search for Allow users to change their own password under Other requirements to determine if the password policy allows users to change their own password. If Allow users to change their own password is not listed under Other requirements, your AWS password policy does not allow IAM users to change their own console password.

Using AWS CLI

01 Run get-account-password-policy command (OSX/Linux/UNIX) to determine if your AWS password policy allows IAM users to change their own password: 

aws iam get-account-password-policy
  --query 'PasswordPolicy.AllowUsersToChangePassword'

02 The command output should return the requested configuration information (true for enabled, false for disabled): 

false

If the get-account-password-policy command output returns false, as shown in the output example above, the password policy configured for your AWS account does not allow IAM users to change their own console password.

Remediation / Resolution

To ensure that all your Amazon IAM users are allowed to change their own console password, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon IAM console at https://console.aws.amazon.com/iam/.

03 In the navigation panel, under Access management, select Account settings.

04 In the Password policy section, choose Edit, and perform the following actions:

  1. Under Password policy, choose Custom, and ensure that you have configured a strong password policy.
  2. Select the Allow users to change their own password setting checkbox available under Other requirements to enable all IAM users within your AWS account to change their own console password.
  3. Choose Save changes to apply the configuration changes.

Using AWS CLI

01 Run update-account-password-policy command (OSX/Linux/UNIX) to set up a strong password policy. Include the --allow-users-to-change-password command parameter to enable all Amazon IAM users to change their own AWS console password (the command does not produce an output): 

aws iam update-account-password-policy
  --minimum-password-length 14
  --require-uppercase-characters
  --require-lowercase-characters
  --require-numbers
  --require-symbols
  --max-password-age 90
  --password-reuse-prevention 5
  --allow-users-to-change-password

References

Publication date Sep 4, 2023

Related IAM rules