AWS IAM Policy to Allow Users to Change their own Passwords while Blocking Access to IAM

Question

I have some administrative accounts for my developers who should be able to administrate all aws resources but shouldn't be able to manage users/root properties. Thus I limited the access to IAM through the following policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "NotAction": "iam:*",
      "Resource": "*"
    }
  ]
}

However this blocks that users can change their own passwords. How can I block them from IAM but allow them to change their passwords?

Answer 1

The policy you have assigned grants access to all actions except those for AWS Identity and Access Management (IAM).

Therefore, to allow users to change their password, attach another (additional) policy to the user/group that grants permission to change passwords:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "SomeSID",
            "Effect": "Allow",
            "Action": [
                "iam:ChangePassword"
            ],
            "Resource": "arn:aws:iam::account-id-without-hyphens:user/${aws:username}"
        }
    ]
}

While "deny" normally overrides "allow", the original policy did not use deny -- it merely granted permission for everything except IAM. Therefore, the additional "allow" will grant the desired permissions.

Answer 2

Amazon provides an example policy that doesn't require manually specifying the user's id for every user:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "iam:*LoginProfile",
        "iam:*AccessKey*",
        "iam:*SSHPublicKey*"
      ],
      "Resource": "arn:aws:iam::account-id-without-hyphens:user/${aws:username}"
    },
    {
      "Effect": "Allow",
      "Action": [
        "iam:ListAccount*",
        "iam:GetAccountSummary",
        "iam:GetAccountPasswordPolicy",
        "iam:ListUsers"
      ],
      "Resource": "*"
    }
  ]
}

However, changing a password (at least during initial login, when "require password change on first login" was ticked when creating the user) still seems to require the iam:ChangePassword permission.

A much better option is to enable a password policy and check the "Allow users to change their own password" box; this does exactly as it says on the tin, with no fumbling around.