Closed chanansh closed 3 years ago
0xMH
commented
3 years ago Upvoting this PR. I was going through IAM tutorial: Permit users to manage their credentials and MFA settings and hit this issue myself. I think iam:ChangePassword is enough though to prevent the password change deadlock.
Lucy-writer
commented
3 years ago Thanks for taking the time to provide feedback. The solution that you're recommending is not something that we recommend. The note at the top of the page explains why
Note
This example policy does not allow users to reset a password while signing in for the first time. AWS recommends that you do not grant permissions to new users until after they sign in. For more information, see How do I securely create IAM users?. This also prevents users with an expired password from resetting their password before signing in. You can allow this by adding iam:ChangePassword andiam:GetAccountPasswordPolicy to the statement DenyAllExceptListedIfNoMFA. However, IAM does not recommend this. Allowing users to change their password without MFA can be a security risk.
…stedIfNoMFA
Without iam:ChangePassword and iam:GetAccountSummary new users who are forced to replace passwords are in deadlock. They need to change password to enable MFA but they need MFA to change password.
Issue #, if available:
Description of changes:
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.