'AWS IAM policy Credential Settings

Based on my current users scenario ,I was thinking it would be useful to have an IAM policy that allowed 'ViewAccountPasswordRequirements' and 'ChangeOwnPassword'. I'm not sure why that wouldn't be the default behavior though in my AWS account.

Could anyone advice me how draft a policy on that, and advise on if we should/shouldn't allow all users to be able to reset their own passwords? Is this policy will work fine for my situation ?or do it require some changes on it? like MAF ?

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ViewAccountPasswordRequirements",
            "Effect": "Allow",
            "Action": "iam:GetAccountPasswordPolicy",
            "Resource": "*"
        },
        {
            "Sid": "ChangeOwnPassword",
            "Effect": "Allow",
            "Action": [
                "iam:GetUser",
                "iam:ChangePassword"
            ],
            "Resource": "arn:aws:iam::*:user/${aws:username}"
        }
    ]
}

Also could anyone please advise if there is a programmatic way to attach the new policy to all users?

lambdadevopsamazon-iamsysadmin


Solution 1:[1]

Regarding your below question

Could advise me how to draft a policy on that, and advise on if we should/shouldn't allow all users to be able to reset their own passwords?

I don't think any negative point in doing so and if an organization has thousands of users then it's the best solution to give them this access to reduce tickets for tiny tasks. There is no drawback to this policy. In fact, if security matters then you can enable MFA as well so it forces the user to don't share their password with any other users because every time it will ask for multifactor authentication.

Also could anyone also please advise if there is a programmatic way to attach the new policy to all users?

Using console as well, you can do it quickly

  • Go to "Policies"
  • Open any policy
  • Select the "Policy Usage" tab
  • Click "Attach" and select all the users you want to give this policy access.

you can use BOTO3 python to play with the code to SCAN all the users and attach policy. I would suggest to use TAG for each user so that you can scan users based on that tag if possible.

https://hands-on.cloud/working-with-iam-in-python-using-boto3/#How-to-attaching-IAM-policy-to-the-user

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 helper

Related Questions

node-lambda - TypeError: handler is not a function

Performance of foreach, array_map with lambda and array_map with static function

python: union keys from multiple dictionary?

Pandas dataframe count values above threshold using groupby - code optimization

Use Mockito 2.0.7 to mock lambda expressions

Do lambda expressions have any use other than saving lines of code?

Merge Map<String, List<String> Java 8 Stream

How do I use the new computeIfAbsent function?

Is it possible to step through a row of data and sum every n-th cell using a Lambda function?

What is the purpose of std::function, and how to use it?

Recursive LAMBDA to replace characters by specific substitutes from a lookup table

Define a lambda function with infinite number of arguments

Can Python pickle lambda functions?

error: no viable conversion from '(lambda at A.cpp:21:22)' to 'int'

What's the VB.NET equivalent of async delegate in C#?