Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

AWS IAM Policy to Allow Users to Change their own Passwords while Blocking Access to IAM

I have some administrative accounts for my developers who should be able to administrate all aws resources but shouldn't be able to manage users/root properties. Thus I limited the access to IAM through the following policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "NotAction": "iam:*",
      "Resource": "*"
    }
  ]
}

However this blocks that users can change their own passwords. How can I block them from IAM but allow them to change their passwords?

like image 204
Manuel Avatar asked Dec 03 '14 11:12

Manuel


2 Answers

The policy you have assigned grants access to all actions except those for AWS Identity and Access Management (IAM).

Therefore, to allow users to change their password, attach another (additional) policy to the user/group that grants permission to change passwords:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "SomeSID",
            "Effect": "Allow",
            "Action": [
                "iam:ChangePassword"
            ],
            "Resource": "arn:aws:iam::account-id-without-hyphens:user/${aws:username}"
        }
    ]
}

While "deny" normally overrides "allow", the original policy did not use deny -- it merely granted permission for everything except IAM. Therefore, the additional "allow" will grant the desired permissions.

like image 182
John Rotenstein Avatar answered Sep 21 '22 16:09

John Rotenstein


Amazon provides an example policy that doesn't require manually specifying the user's id for every user:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "iam:*LoginProfile",
        "iam:*AccessKey*",
        "iam:*SSHPublicKey*"
      ],
      "Resource": "arn:aws:iam::account-id-without-hyphens:user/${aws:username}"
    },
    {
      "Effect": "Allow",
      "Action": [
        "iam:ListAccount*",
        "iam:GetAccountSummary",
        "iam:GetAccountPasswordPolicy",
        "iam:ListUsers"
      ],
      "Resource": "*"
    }
  ]
}

However, changing a password (at least during initial login, when "require password change on first login" was ticked when creating the user) still seems to require the iam:ChangePassword permission.

A much better option is to enable a password policy and check the "Allow users to change their own password" box; this does exactly as it says on the tin, with no fumbling around.

like image 21
Xiong Chiamiov Avatar answered Sep 22 '22 16:09

Xiong Chiamiov