Closed alterEgo123 closed 1 year ago
Thank you for submitting this pull request.
In the provided example policy, the action iam:ChangePassword
is deliberately excluded from policy statement DenyAllExceptListedIfNoMFA
. This policy requires users to set up and authenticate using MFA before performing any other operations in AWS.
The following note is included on the example policy page that explains why this policy does not allow users to reset their password when signing in for the first time.
Note • This example policy does not allow users to reset a password while signing in to the AWS Management Console for the first time. We recommend that you do not grant permissions to new users until after they sign in. For more information, see How do I securely create IAM users?. This also prevents users with an expired password from resetting their password during sign in. You can allow this by adding
iam:ChangePassword
andiam:GetAccountPasswordPolicy
to the statementDenyAllExceptListedIfNoMFA
. However, we do not recommend this because allowing users to change their password without MFA can be a security risk.
On first login the user is unable to change his password because the action is not listed in the enabled actions if MFA is not enabled. This fixes it.
Issue #, if available:
Description of changes:
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.