Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: Allow users to change own password in iam-group-with-policies module #435

Merged
merged 1 commit into from
Nov 13, 2023
Merged

feat: Allow users to change own password in iam-group-with-policies module #435

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 4 additions & 2 deletions modules/iam-group-with-policies/policies.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,9 @@ data "aws_iam_policy_document" "iam_self_management" {

actions = [
"iam:ChangePassword",
"iam:GetUser"
"iam:GetLoginProfile",
"iam:GetUser",
"iam:UpdateLoginProfile"
]

resources = [
Expand Down Expand Up @@ -153,10 +155,10 @@ data "aws_iam_policy_document" "iam_self_management" {
sid = "DenyAllExceptListedIfNoMFA"
effect = "Deny"
not_actions = [
"iam:ChangePassword",
"iam:CreateVirtualMFADevice",
"iam:EnableMFADevice",
"iam:GetUser",
"iam:GetMFADevice",
"iam:ListMFADevices",
"iam:ListVirtualMFADevices",
"iam:ResyncMFADevice",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Comparing the official AWS documentation page with this statement block, should not we also have one more in not_action?

To also allow a user to change their password from their own user page without signing in using MFA, add the iam:UpdateLoginProfile action to the DenyAllExceptListedIfNoMFA statement.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The doc has a bit blurry description.
The iam:UpdateLoginProfile action as exception needed to change the password without MFA if MFA enforcement is present, for example on initial login to reset the password.
But at the same time it gives the ability to bypass MFA when using AWS CLI or API to update the password via login profile call, e.g. aws iam update-login-profile. So in case of compromised access keys, the password could be changed without MFA code which is only required to login through Web Console.

Expand Down