feat: Allow users to change own password in iam-group-with-policies module #435
Conversation
|
@bryantbiggs , please have a look. Thanks! |
| "iam:CreateVirtualMFADevice", | ||
| "iam:EnableMFADevice", | ||
| "iam:GetUser", | ||
| "iam:GetMFADevice", | ||
| "iam:ListMFADevices", | ||
| "iam:ListVirtualMFADevices", | ||
| "iam:ResyncMFADevice", |
There was a problem hiding this comment.
Comparing the official AWS documentation page with this statement block, should not we also have one more in not_action?
To also allow a user to change their password from their own user page without signing in using MFA, add the iam:UpdateLoginProfile action to the DenyAllExceptListedIfNoMFA statement.
There was a problem hiding this comment.
The doc has a bit blurry description.
The iam:UpdateLoginProfile action as exception needed to change the password without MFA if MFA enforcement is present, for example on initial login to reset the password.
But at the same time it gives the ability to bypass MFA when using AWS CLI or API to update the password via login profile call, e.g. aws iam update-login-profile. So in case of compromised access keys, the password could be changed without MFA code which is only required to login through Web Console.
antonbabenko
changed the title
## [5.31.0](v5.30.2...v5.31.0) (2023-11-13) ### Features * Allow users to change own password in iam-group-with-policies module ([#435](#435)) ([eb5b218](eb5b218))
|
This PR is included in version 5.31.0 🎉 |
|
I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further. |
Description
This PR corrects IAM Self-manage policy according to example from AWS: Allows MFA-authenticated IAM users to manage their own credentials on the My security credentials page :
iam:GetLoginProfileandiam:UpdateLoginProfileactions to be added to theAllowManageOwnPasswordsstatement.DenyAllExceptListedIfNoMFAstatement has been corrected to include missingiam:GetMFADevicepermission for own MFA management.iam:ChangePasswordaction should not be allowed without MFA authorization if it was enforced. This does not allow a user to create a password at sign-in, the MFA must be created and user must authenticate using it before attempting to change administrator provided password.Motivation and Context
Stay up to date with AWS recommendations for access policies, grant permissions necessary for IAM user selfie-management via AWS Web Console.
Make sure if MFA is enforced, it disallows unauthorized password change for IAM user in case of credentials leak.
Breaking Changes
None.
How Has This Been Tested?
examples/*to demonstrate and validate my change(s)examples/*projectspre-commit run -aon my pull request