Editing DenyAllExceptListedIfNoMFA
Jump to navigation
Jump to search
Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.
The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then save the changes below to finish undoing the edit.
Latest revision | Your text | ||
Line 1: | Line 1: | ||
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_aws_my-sec-creds-self-manage.html | https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_aws_my-sec-creds-self-manage.html | ||
− | |||
This example policy does not allow users to reset a password while signing in for the first time. AWS recommends that you do not grant permissions to new users until after they sign in. For more information, see How do I securely create IAM users?. This also prevents users with an expired password from resetting their password before signing in. You can allow this by adding [[iam:ChangePassword]] and [[iam:GetAccountPasswordPolicy]] to the statement [[DenyAllExceptListedIfNoMFA]]. However, IAM does not recommend this. Allowing users to change their password without MFA can be a security risk. | This example policy does not allow users to reset a password while signing in for the first time. AWS recommends that you do not grant permissions to new users until after they sign in. For more information, see How do I securely create IAM users?. This also prevents users with an expired password from resetting their password before signing in. You can allow this by adding [[iam:ChangePassword]] and [[iam:GetAccountPasswordPolicy]] to the statement [[DenyAllExceptListedIfNoMFA]]. However, IAM does not recommend this. Allowing users to change their password without MFA can be a security risk. | ||
Advertising: