diff --git a/internal/service/memorydb/user.go b/internal/service/memorydb/user.go
index 0f4e8b4bdaf6..7290d18e1e3c 100644
--- a/internal/service/memorydb/user.go
+++ b/internal/service/memorydb/user.go
@@ -50,7 +50,7 @@ func ResourceUser() *schema.Resource {
 					Schema: map[string]*schema.Schema{
 						"passwords": {
 							Type:     schema.TypeSet,
-							Required: true,
+							Optional: true,
 							MinItems: 1,
 							MaxItems: 2,
 							Elem: &schema.Schema{
@@ -94,12 +94,12 @@ func resourceUserCreate(ctx context.Context, d *schema.ResourceData, meta interf
 	userName := d.Get("user_name").(string)
 	input := &memorydb.CreateUserInput{
 		AccessString: aws.String(d.Get("access_string").(string)),
-		AuthenticationMode: &memorydb.AuthenticationMode{
-			Passwords: flex.ExpandStringSet(d.Get("authentication_mode.0.passwords").(*schema.Set)),
-			Type:      aws.String(d.Get("authentication_mode.0.type").(string)),
-		},
-		Tags:     getTagsIn(ctx),
-		UserName: aws.String(userName),
+		Tags:         getTagsIn(ctx),
+		UserName:     aws.String(userName),
+	}
+
+	if v, ok := d.GetOk("authentication_mode"); ok && len(v.([]interface{})) > 0 && v.([]interface{})[0] != nil {
+		input.AuthenticationMode = expandAuthenticationMode(v.([]interface{})[0].(map[string]interface{}))
 	}
 
 	_, err := conn.CreateUserWithContext(ctx, input)
@@ -161,11 +161,8 @@ func resourceUserUpdate(ctx context.Context, d *schema.ResourceData, meta interf
 			input.AccessString = aws.String(d.Get("access_string").(string))
 		}
 
-		if d.HasChange("authentication_mode") {
-			input.AuthenticationMode = &memorydb.AuthenticationMode{
-				Passwords: flex.ExpandStringSet(d.Get("authentication_mode.0.passwords").(*schema.Set)),
-				Type:      aws.String(d.Get("authentication_mode.0.type").(string)),
-			}
+		if v, ok := d.GetOk("authentication_mode"); ok && len(v.([]interface{})) > 0 && v.([]interface{})[0] != nil {
+			input.AuthenticationMode = expandAuthenticationMode(v.([]interface{})[0].(map[string]interface{}))
 		}
 
 		_, err := conn.UpdateUserWithContext(ctx, input)
@@ -204,3 +201,21 @@ func resourceUserDelete(ctx context.Context, d *schema.ResourceData, meta interf
 
 	return nil
 }
+
+func expandAuthenticationMode(tfMap map[string]interface{}) *memorydb.AuthenticationMode {
+	if tfMap == nil {
+		return nil
+	}
+
+	apiObject := &memorydb.AuthenticationMode{}
+
+	if v, ok := tfMap["passwords"].(*schema.Set); ok && v.Len() > 0 {
+		apiObject.Passwords = flex.ExpandStringSet(v)
+	}
+
+	if v, ok := tfMap["type"].(string); ok && v != "" {
+		apiObject.Type = aws.String(v)
+	}
+
+	return apiObject
+}
diff --git a/internal/service/memorydb/user_test.go b/internal/service/memorydb/user_test.go
index eb122ad42c4d..1e5585f797be 100644
--- a/internal/service/memorydb/user_test.go
+++ b/internal/service/memorydb/user_test.go
@@ -52,6 +52,45 @@ func TestAccMemoryDBUser_basic(t *testing.T) {
 	})
 }
 
+func TestAccMemoryDBUser_iam_auth_mode(t *testing.T) {
+	ctx := acctest.Context(t)
+	rName := "tf-test-" + sdkacctest.RandString(8)
+	resourceName := "aws_memorydb_user.test"
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.PreCheck(ctx, t); testAccPreCheck(t) },
+		ErrorCheck:               acctest.ErrorCheck(t, memorydb.EndpointsID),
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories,
+		CheckDestroy:             testAccCheckUserDestroy(ctx),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccUserConfigWithIAMAuthMode_basic(rName),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckUserExists(ctx, resourceName),
+					resource.TestCheckResourceAttr(resourceName, "access_string", "on ~* &* +@all"),
+					acctest.CheckResourceAttrRegionalARN(resourceName, "arn", "memorydb", "user/"+rName),
+					//resource.TestCheckResourceAttr(resourceName, "authentication_mode.0.password_count", "1"),
+					//resource.TestCheckResourceAttr(resourceName, "authentication_mode.0.passwords.#", "1"),
+					//resource.TestCheckTypeSetElemAttr(resourceName, "authentication_mode.0.passwords.*", "aaaaaaaaaaaaaaaa"),
+					resource.TestCheckResourceAttr(resourceName, "authentication_mode.0.type", "iam"),
+					resource.TestCheckResourceAttrSet(resourceName, "minimum_engine_version"),
+					resource.TestCheckResourceAttr(resourceName, "user_name", rName),
+					resource.TestCheckResourceAttr(resourceName, "tags.%", "1"),
+					resource.TestCheckResourceAttr(resourceName, "tags.Test", "test"),
+				),
+			},
+			{
+				ResourceName:      resourceName,
+				ImportState:       true,
+				ImportStateVerify: true,
+				ImportStateVerifyIgnore: []string{
+					"authentication_mode.0.passwords",
+				},
+			},
+		},
+	})
+}
+
 func TestAccMemoryDBUser_disappears(t *testing.T) {
 	ctx := acctest.Context(t)
 	rName := "tf-test-" + sdkacctest.RandString(8)
@@ -273,6 +312,23 @@ resource "aws_memorydb_user" "test" {
 `, rName)
 }
 
+func testAccUserConfigWithIAMAuthMode_basic(rName string) string {
+	return fmt.Sprintf(`
+resource "aws_memorydb_user" "test" {
+  access_string = "on ~* &* +@all"
+  user_name     = %[1]q
+
+  authentication_mode {
+    type      = "iam"
+  }
+
+  tags = {
+    Test = "test"
+  }
+}
+`, rName)
+}
+
 func testAccUserConfig_accessString(rName, accessString string) string {
 	return fmt.Sprintf(`
 resource "aws_memorydb_user" "test" {