# User passwords in AWS
You can manage passwords for IAM users in your account. IAM users need passwords in order to access the AWS Management Console. Users do not need passwords to access AWS resources programmatically by using the AWS CLI, Tools for Windows PowerShell, the AWS SDKs or APIs. For those environments, you have the option of assigning IAM users [access keys](id_credentials_access-keys.md). However, there are other more secure alternatives to access keys that we recommend you consider first. For more information, see [AWS security credentials](security-creds.md).
**Note**
If one of your IAM users lose or forget their password, you *cannot* retrieve them from IAM. Depending on your settings, either the user or the administrator must create a new password.
**Topics**
+ [Set an account password policy for IAM users](id_credentials_passwords_account-policy.md)
+ [Manage passwords for IAM users](id_credentials_passwords_admin-change-user.md)
+ [Permit IAM users to change their own passwords](id_credentials_passwords_enable-user-change.md)
+ [How an IAM user changes their own password](id_credentials_passwords_user-change-own.md)
# Set an account password policy for IAM users
You can set a custom password policy on your AWS account to specify complexity requirements and mandatory rotation periods for your IAM users' passwords. If you don't set a custom password policy, IAM user passwords must meet the default AWS password policy. For more information, see [Custom password policy options](#password-policy-details).
**Topics**
+ [Rules for setting a password policy](#password-policy-rules)
+ [Permissions required to set a password policy](#default-policy-permissions-required)
+ [Default password policy](#default-policy-details)
+ [Custom password policy options](#password-policy-details)
+ [To set a password policy (console)](#IAMPasswordPolicy)
+ [To change a password policy (console)](#id_credentials_passwords_account-policy-section-1)
+ [To delete a custom password policy (console)](#id_credentials_passwords_account-policy-section-2)
+ [Setting a password policy (AWS CLI)](#PasswordPolicy_CLI)
+ [Setting a password policy (AWS API)](#PasswordPolicy_API)
## Rules for setting a password policy
The IAM password policy does not apply to the AWS account root user password or IAM user access keys. If a password expires, the IAM user can't sign in to the AWS Management Console but can continue to use their access keys.
When you create or change a password policy, most of the password policy settings are enforced the next time your users change their passwords. However, some of the settings are enforced immediately. For example:
+ When the minimum length and character type requirements change, these settings are enforced the next time that your users change their passwords. Users are not forced to change their existing passwords, even if the existing passwords do not adhere to the updated password policy.
+ When you set a password expiration period, the expiration period is enforced immediately. For example, assume that you set a password expiration period of 90 days. In that case, the password expires for all IAM users whose existing password is older than 90 days. Those users are required to change their password the next time that they sign in.
You can't create a "lockout policy" to lock a user out of the account after a specified number of failed sign-in attempts. For enhanced security, we recommend that you combine a strong password policy with multi-factor authentication (MFA). For more information about MFA, see [AWS Multi-factor authentication in IAM](id_credentials_mfa.md).
## Permissions required to set a password policy
You must configure permissions to allow an IAM entity (user or role) to view or edit their account password policy. You can include the following password policy actions in an IAM policy:
+ `iam:GetAccountPasswordPolicy` – Allows the entity to view the password policy for their account
+ `iam:DeleteAccountPasswordPolicy` – Allows the entity to delete the custom password policy for their account and revert to the default password policy
+ `iam:UpdateAccountPasswordPolicy` – Allows the entity to create or change the custom password policy for their account
The following policy allows full access to view and edit the account password policy. To learn how to create an IAM policy using this example JSON policy document, see [Creating policies using the JSON editor](access_policies_create-console.md#access_policies_create-json-editor).
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "FullAccessPasswordPolicy",
"Effect": "Allow",
"Action": [
"iam:GetAccountPasswordPolicy",
"iam:DeleteAccountPasswordPolicy",
"iam:UpdateAccountPasswordPolicy"
],
"Resource": "*"
}
]
}
```
------
For information about the permissions required for an IAM user to change their own password, see [Permit IAM users to change their own passwords](id_credentials_passwords_enable-user-change.md).
## Default password policy
If an administrator does not set a custom password policy, IAM user passwords must meet the default AWS password policy.
The default password policy enforces the following conditions:
+ Minimum password length of 8 characters and a maximum length of 128 characters
+ Minimum of three of the following mix of character types: uppercase, lowercase, numbers, and non-alphanumeric character (`! @ # $ % ^ & * ( ) _ + - = [ ] { } | '`)
+ Not be identical to your AWS account name or email address
+ Never expire password
## Custom password policy options
When you configure a custom password policy for your account, you can specify the following conditions:
+ **Password minimum length** – You can specify a minimum of 6 characters and a maximum of 128 characters.
+ **Password strength** – You can select any of the following checkboxes to define the strength of your IAM user passwords:
+ Require at least one uppercase letter from the Latin alphabet (A–Z)
+ Require at least one lowercase letter from the Latin alphabet (a–z)
+ Require at least one number
+ Require at least one nonalphanumeric character `! @ # $ % ^ & * ( ) _ + - = [ ] { } | '`
+ **Turn on password expiration** – You can select and specify a minimum of 1 and a maximum of 1,095 days that IAM user passwords are valid after they are set. For example, if you specify an expiration of 90 days, it immediately impacts all of your users. For users with passwords older than 90 days, when they log into the console after the change, they must set a new password. Users with passwords 75-89 days old receive an AWS Management Console warning about their password expiration. IAM users can change their password at any time if they have permission. When they set a new password, the expiration period for that password starts over. An IAM user can have only one valid password at a time.
+ **Password expiration requires administrator reset** – Select this option to prevent IAM users from using the AWS Management Console to update their own passwords after the password expires. Before you select this option, confirm that your AWS account has more than one user with administrative permissions to reset IAM user passwords. Administrators with `iam:UpdateLoginProfile` permission can reset IAM user passwords. IAM users with `iam:ChangePassword` permission and active access keys can reset their own IAM user console password programmatically. If you clear this checkbox, IAM users with expired passwords must still set a new password before they can access the AWS Management Console.
+ **Allow users to change their own password** – You can permit all IAM users in your account to change their own password. This gives users access to the `iam:ChangePassword` action for only their user and to the `iam:GetAccountPasswordPolicy` action. This option does not attach a permissions policy to each user. Rather, IAM applies the permissions at the account-level for all users. Alternatively, you can allow only some users to manage their own passwords. To do so, you clear this checkbox. For more information about using policies to limit who can manage passwords, see [Permit IAM users to change their own passwords](id_credentials_passwords_enable-user-change.md).
+ **Prevent password reuse** – You can prevent IAM users from reusing a specified number of previous passwords. You can specify a minimum number of 1 and a maximum number of 24 previous passwords that can't be repeated.
## To set a password policy (console)
You can use the AWS Management Console to create, change, or delete a custom password policy. Changes to the password policy apply to new IAM users created after this policy change and existing IAM users when they change their passwords.
------
#### [ Console ]
1. Follow the sign-in procedure appropriate to your user type as described in the topic [How to sign in to AWS](https://docs.aws.amazon.com/signin/latest/userguide/how-to-sign-in.html) in the *AWS Sign-In User Guide*.
1. On the **IAM Console Home** page, in the left navigation pane, enter your query in the **Search IAM** text box.
1. In the navigation pane, choose **Account settings**.
1. In the **Password policy** section, choose **Edit**.
1. Choose **Custom** to use a custom password policy.
1. Select the options that you want to apply to your password policy and choose **Save changes**.
1. Confirm that you want to set a custom password policy by choosing **Set custom**.
The console displays a status message informing you that password requirements for IAM users have been updated.
------
## To change a password policy (console)
You can use the AWS Management Console to create, change, or delete a custom password policy. Changes to the password policy apply to new IAM users created after this policy change and existing IAM users when they change their passwords.
------
#### [ Console ]
1. Follow the sign-in procedure appropriate to your user type as described in the topic [How to sign in to AWS](https://docs.aws.amazon.com/signin/latest/userguide/how-to-sign-in.html) in the *AWS Sign-In User Guide*.
1. On the **IAM Console Home** page, in the left navigation pane, enter your query in the **Search IAM** text box.
1. In the navigation pane, choose **Account settings**.
1. In the **Password policy** section, choose **Edit**.
1. Select the options that you want to apply to your password policy and choose **Save changes**.
1. Confirm that you want to set a custom password policy by choosing **Set custom**.
The console displays a status message informing you that password requirements for IAM users have been updated.
------
## To delete a custom password policy (console)
You can use the AWS Management Console to create, change, or delete a custom password policy. Changes to the password policy apply to new IAM users created after this policy change and existing IAM users when they change their passwords.
------
#### [ Console ]
1. Follow the sign-in procedure appropriate to your user type as described in the topic [How to sign in to AWS](https://docs.aws.amazon.com/signin/latest/userguide/how-to-sign-in.html) in the *AWS Sign-In User Guide*.
1. On the **IAM Console Home** page, in the left navigation pane, enter your query in the **Search IAM** text box.
1. In the navigation pane, choose **Account settings**.
1. In the **Password policy** section, choose **Edit**.
1. Choose **IAM default** to delete the custom password policy and choose **Save changes**.
1. Confirm that you want to set the IAM default password policy by choosing **Set default**.
The console displays a status message informing you that the password policy is set to IAM default.
------
## Setting a password policy (AWS CLI)
You can use the AWS Command Line Interface to set a password policy.
**To manage the custom account password policy from the AWS CLI**
Run the following commands:
+ To create or change the custom password policy: [https://docs.aws.amazon.com/cli/latest/reference/iam/update-account-password-policy.html](https://docs.aws.amazon.com/cli/latest/reference/iam/update-account-password-policy.html)
+ To view the password policy: [https://docs.aws.amazon.com/cli/latest/reference/iam/get-account-password-policy.html](https://docs.aws.amazon.com/cli/latest/reference/iam/get-account-password-policy.html)
+ To delete the custom password policy: [https://docs.aws.amazon.com/cli/latest/reference/iam/delete-account-password-policy.html](https://docs.aws.amazon.com/cli/latest/reference/iam/delete-account-password-policy.html)
## Setting a password policy (AWS API)
You can use AWS API operations to set a password policy.
**To manage the custom account password policy from the AWS API**
Call the following operations:
+ To create or change the custom password policy: [https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateAccountPasswordPolicy.html](https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateAccountPasswordPolicy.html)
+ To view the password policy: [https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetAccountPasswordPolicy.html](https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetAccountPasswordPolicy.html)
+ To delete the custom password policy: [https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteAccountPasswordPolicy.html](https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteAccountPasswordPolicy.html)
# Manage passwords for IAM users
IAM users who use the AWS Management Console to work with AWS resources must have a password in order to sign in. You can create, change, or delete a password for an IAM user in your AWS account.
After you have assigned a password to a user, the user can sign in to the AWS Management Console using the sign-in URL for your account, which looks like this:
```
https://12-digit-AWS-account-ID or alias.signin.aws.amazon.com/console
```
For more information about how IAM users sign in to the AWS Management Console, see [How to sign in to AWS](https://docs.aws.amazon.com/signin/latest/userguide/how-to-sign-in.html) in the *AWS Sign-In User Guide*.
Even if your users have their own passwords, they still need permissions to access your AWS resources. By default, a user has no permissions. To give your users the permissions they need, you assign policies to them or to the groups they belong to. For information about creating users and groups, see [IAM Identities](id.md). For information about using policies to set permissions, see [Change permissions for an IAM user](id_users_change-permissions.md).
You can grant users permission to change their own passwords. For more information, see [Permit IAM users to change their own passwords](id_credentials_passwords_enable-user-change.md). For information about how users access your account sign-in page, see [How to sign in to AWS](https://docs.aws.amazon.com/signin/latest/userguide/how-to-sign-in.html) in the *AWS Sign-In User Guide*.
**Topics**
+ [Creating, changing, or deleting an IAM user password (console)](#id_credentials_passwords_admin-change-user_console)
## Creating, changing, or deleting an IAM user password (console)
You can use the AWS Management Console to manage passwords for your IAM users.
The access needs of your users can change over time. You might need to enable a user intended for CLI access to have console access, change a user's password because they receive the email with their credentials, or delete a user when they leave your organization or no longer need AWS access.
### To create an IAM user password (console)
Use this procedure to give a user console access by creating a password that is associated with the username.
------
#### [ Console ]
1. Follow the sign-in procedure appropriate to your user type as described in the topic [How to sign in to AWS](https://docs.aws.amazon.com/signin/latest/userguide/how-to-sign-in.html) in the *AWS Sign-In User Guide*.
1. On the **IAM Console Home** page, in the left navigation pane, enter your query in the **Search IAM** text box.
1. In the navigation pane, choose **Users**.
1. Choose the name of the user whose password you want to create.
1. Choose the **Security credentials** tab, and then under **Console sign-in**, choose **Enable console access**.
1. In the **Enable console access** dialog box, select **Reset password**, then choose whether to have IAM generate a password or create a custom password:
+ To have IAM generate a password, choose **Autogenerated password**.
+ To create a custom password, choose **Custom password**, and type the password.
**Note**
The password that you create must meet the account's [password policy](id_credentials_passwords_account-policy.md).
1. To require the user to create a new password when signing in, choose **Require password change at the next sign-in**.
1. To require the user to use the new password immediately, select **Revoke active console sessions**. This attaches an inline policy to the IAM user that denies the user access to resources if their credentials are older than the time specified by the policy.
1. Choose **Reset password**
1. The **Console password** dialog informs you that you have enabled the user's new password. To view the password so you can share it with the user, choose **Show** in the **Console password** dialog box. Select **Download .csv file** to download a file with the user's credentials.
**Important**
For security reasons, you cannot access the password after completing this step, but you can create a new password at any time.
The console displays a status message informing you that console access has been enabled.
------
### To change the password for an IAM user (console)
Use this procedure to update a password that is associated with the username.
------
#### [ Console ]
1. Follow the sign-in procedure appropriate to your user type as described in the topic [How to sign in to AWS](https://docs.aws.amazon.com/signin/latest/userguide/how-to-sign-in.html) in the *AWS Sign-In User Guide*.
1. On the **IAM Console Home** page, in the left navigation pane, enter your query in the **Search IAM** text box.
1. In the navigation pane, choose **Users**.
1. Choose the name of the user whose password you want to change.
1. Choose the **Security credentials** tab, and then under **Console sign-in**, choose **Manage console access**.
1. In the **Manage console access** dialog box, select **Reset password**, then choose whether to have IAM generate a password or create a custom password:
+ To have IAM generate a password, choose **Autogenerated password**.
+ To create a custom password, choose **Custom password**, and type the password.
**Note**
The password that you create must meet the account's [password policy](id_credentials_passwords_account-policy.md).
1. To require the user to create a new password when signing in, choose **Require password change at the next sign-in**.
1. To require the user to use the new password immediately, select **Revoke active console sessions**. This attaches an inline policy to the IAM user that denies the user access to resources if their credentials are older than the time specified by the policy.
1. Choose **Reset password**
1. The **Console password** dialog informs you that you have enabled the user's new password. To view the password so you can share it with the user, choose **Show** in the **Console password** dialog box. Select **Download .csv file** to download a file with the user's credentials.
**Important**
For security reasons, you cannot access the password after completing this step, but you can create a new password at any time.
The console displays a status message informing you that console access has been updated.
------
### To delete (disable) an IAM user password (console)
Use this procedure to delete a password that is associated with the username, removing console access for the user.
**Important**
You can prevent an IAM user from accessing the AWS Management Console by removing their password. This prevents them from signing in to the AWS Management Console using their sign-in credentials. It does not change their permissions or prevent them from accessing the console using an assumed role. If the user has active access keys, they continue to function and allow access through the AWS CLI, Tools for Windows PowerShell, AWS API, or the AWS Console Mobile Application.
------
#### [ Console ]
1. Follow the sign-in procedure appropriate to your user type as described in the topic [How to sign in to AWS](https://docs.aws.amazon.com/signin/latest/userguide/how-to-sign-in.html) in the *AWS Sign-In User Guide*.
1. On the **IAM Console Home** page, in the left navigation pane, enter your query in the **Search IAM** text box.
1. In the navigation pane, choose **Users**.
1. Choose the name of the user whose password you want to delete.
1. Choose the **Security credentials** tab, and then under **Console sign-in**, choose **Manage console access**.
1. To require the user to stop using the console immediately, select **Revoke active console sessions**. This attaches an inline policy to the IAM user that denies the user access to resources if their credentials are older than the time specified by the policy.
1. Choose **Disable access**
The console displays a status message informing you that console access has been disabled.
------
### Creating, changing, or deleting an IAM user password (AWS CLI)
You can use the AWS CLI API to manage passwords for your IAM users.
**To create a password (AWS CLI)**
1. (Optional) To determine whether a user has a password, run this command: [aws iam get-login-profile](https://docs.aws.amazon.com/cli/latest/reference/iam/get-login-profile.html)
1. To create a password, run this command: [aws iam create-login-profile](https://docs.aws.amazon.com/cli/latest/reference/iam/create-login-profile.html)
**To change a user's password (AWS CLI)**
1. (Optional) To determine whether a user has a password, run this command: [aws iam get-login-profile](https://docs.aws.amazon.com/cli/latest/reference/iam/get-login-profile.html)
1. To change a password, run this command: [aws iam update-login-profile](https://docs.aws.amazon.com/cli/latest/reference/iam/update-login-profile.html)
**To delete (disable) a user's password (AWS CLI)**
1. (Optional) To determine whether a user has a password, run this command: [aws iam get-login-profile](https://docs.aws.amazon.com/cli/latest/reference/iam/get-login-profile.html)
1. (Optional) To determine when a password was last used, run this command: [aws iam get-user](https://docs.aws.amazon.com/cli/latest/reference/iam/get-user.html)
1. To delete a password, run this command: [aws iam delete-login-profile](https://docs.aws.amazon.com/cli/latest/reference/iam/delete-login-profile.html)
**Important**
When you delete a user's password, the user can no longer sign in to the AWS Management Console. If the user has active access keys, they continue to function and allow access through the AWS CLI, Tools for Windows PowerShell, or AWS API function calls. When you use the AWS CLI, Tools for Windows PowerShell, or AWS API to delete a user from your AWS account, you must first delete the password using this operation. For more information, see [Deleting an IAM user (AWS CLI)](id_users_remove.md#id_users_deleting_cli).
**To revoke a user's active console sessions before a specified time (AWS CLI)**
1. To embed an inline policy that revokes an IAM user's active console sessions before a specified time, use the following inline policy and run this command: [aws iam put-user-policy](https://docs.aws.amazon.com/cli/latest/reference/iam/put-user-policy.html)
This inline policy denies all permissions and includes the `aws:TokenIssueTime` condition key. It revokes the user's active console sessions before the specified time in the `Condition` element of the inline policy. Replace the `aws:TokenIssueTime` condition key value with your own value.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": {
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {
"DateLessThan": {
"aws:TokenIssueTime": "2014-05-07T23:47:00Z"
}
}
}
}
```
------
1. (Optional) To list the names of the inline policies embedded in the IAM user, run this command: [aws iam list-user-policies](https://docs.aws.amazon.com/cli/latest/reference/iam/list-user-policies.html)
1. (Optional) To view the named inline policy embedded in the IAM user, run this command: [aws iam get-user-policy](https://docs.aws.amazon.com/cli/latest/reference/iam/get-user-policy.html)
### Creating, changing, or deleting an IAM user password (AWS API)
You can use the AWS API to manage passwords for your IAM users.
**To create a password (AWS API)**
1. (Optional) To determine whether a user has a password, call this operation: [GetLoginProfile](https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetLoginProfile.html)
1. To create a password, call this operation: [CreateLoginProfile](https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateLoginProfile.html)
**To change a user's password (AWS API)**
1. (Optional) To determine whether a user has a password, call this operation: [GetLoginProfile](https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetLoginProfile.html)
1. To change a password, call this operation: [UpdateLoginProfile](https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateLoginProfile.html)
**To delete (disable) a user's password (AWS API)**
1. (Optional) To determine whether a user has a password, run this command: [GetLoginProfile](https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetLoginProfile.html)
1. (Optional) To determine when a password was last used, run this command: [GetUser](https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetUser.html)
1. To delete a password, run this command: [DeleteLoginProfile](https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteLoginProfile.html)
**Important**
When you delete a user's password, the user can no longer sign in to the AWS Management Console. If the user has active access keys, they continue to function and allow access through the AWS CLI, Tools for Windows PowerShell, or AWS API function calls. When you use the AWS CLI, Tools for Windows PowerShell, or AWS API to delete a user from your AWS account, you must first delete the password using this operation. For more information, see [Deleting an IAM user (AWS CLI)](id_users_remove.md#id_users_deleting_cli).
**To revoke a user's active console sessions before a specified time (AWS API)**
1. To embed an inline policy that revokes an IAM user's active console sessions before a specified time, use the following inline policy and run this command: [PutUserPolicy](https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutUserPolicy.html)
This inline policy denies all permissions and includes the `aws:TokenIssueTime` condition key. It revokes the user's active console sessions before the specified time in the `Condition` element of the inline policy. Replace the `aws:TokenIssueTime` condition key value with your own value.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": {
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {
"DateLessThan": {
"aws:TokenIssueTime": "2014-05-07T23:47:00Z"
}
}
}
}
```
------
1. (Optional) To list the names of the inline policies embedded in the IAM user, run this command: [ListUserPolicies](https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListUserPolicies.html)
1. (Optional) To view the named inline policy embedded in the IAM user, run this command: [GetUserPolicy](https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetUserPolicy.html)
# Permit IAM users to change their own passwords
**Note**
Users with federated identities will use the process defined by their identity provider to change their passwords. As a [best practice](best-practices.md), require human users to use federation with an identity provider to access AWS using temporary credentials.
You can grant IAM users the permission to change their own passwords for signing in to the AWS Management Console. You can do this in one of two ways:
+ [Allow all IAM users in the account to change their own passwords](#proc_letalluserschangepassword).
+ [Allow only selected IAM users to change their own passwords](#proc_letselectuserschangepassword). In this scenario, you disable the option for all users to change their own passwords and you use an IAM policy to grant permissions to only some users. This approach allows those users to change their own passwords and optionally other credentials like their own access keys.
**Important**
We recommend that you [set a custom password policy](id_credentials_passwords_account-policy.md) that requires IAM users to create strong passwords.
## To allow all IAM users change their own passwords
------
#### [ Console ]
1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. In the navigation pane, click **Account settings**.
1. In the **Password policy** section, choose **Edit**.
1. Choose **Custom** to use a custom password policy.
1. Select **Allow users to change their own password**, and then choose **Save changes**. This allows all users in the account access to the `iam:ChangePassword` action for only their user and to the `iam:GetAccountPasswordPolicy` action.
1. Provide users with the following instructions for changing their passwords: [How an IAM user changes their own password](id_credentials_passwords_user-change-own.md).
------
#### [ AWS CLI ]
Run the following command:
+ `[aws iam update-account-password-policy](https://docs.aws.amazon.com/cli/latest/reference/iam/update-account-password-policy.html)`
------
#### [ API ]
To update the account password policy, call the following operation:
+ `[UpdateAccountPasswordPolicy](https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateAccountPasswordPolicy.html)`
------
## To allow selected IAM users change their own passwords
------
#### [ Console ]
1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. In the navigation pane, click **Account settings**.
1. In the **Password policy** section, make sure that **Allow users to change their own password** is not selected. If this checkbox is selected, all users can change their own passwords. (See the previous procedure.)
1. Create the users who should be allowed to change their own password, if they do not already exist. For details, see [Create an IAM user in your AWS account](id_users_create.md).
1. (Optional) Create an IAM group for the users who should be allowed to change their passwords, and then add the users from the previous step to the group. For details, see [IAM user groups](id_groups.md).
1. Assign the following policy to the group. For more information, see [Manage IAM policies](access_policies_manage.md).
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iam:GetAccountPasswordPolicy",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "iam:ChangePassword",
"Resource": "arn:aws:iam::*:user/${aws:username}"
}
]
}
```
------
This policy grants access to the [ChangePassword](https://docs.aws.amazon.com/IAM/latest/APIReference/API_ChangePassword.html) action, which lets users change only their own passwords from the console, the AWS CLI, Tools for Windows PowerShell, or the API. It also grants access to the [GetAccountPasswordPolicy](https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetAccountPasswordPolicy.html) action, which lets the user view the current password policy; this permission is required so that the user can view the account password policy on the **Change password** page. The user must be allowed to read the current password policy to ensure that the changed password meets the requirements of the policy.
1. Provide users with the following instructions for changing their passwords: [How an IAM user changes their own password](id_credentials_passwords_user-change-own.md).
------
### For more information
For more information on managing credentials, see the following topics:
+ [Permit IAM users to change their own passwords](#id_credentials_passwords_enable-user-change)
+ [User passwords in AWS](id_credentials_passwords.md)
+ [Set an account password policy for IAM users](id_credentials_passwords_account-policy.md)
+ [Manage IAM policies](access_policies_manage.md)
+ [How an IAM user changes their own password](id_credentials_passwords_user-change-own.md)
# How an IAM user changes their own password
If you have been granted permission to change your own IAM user password, you can use a special page in the AWS Management Console to do this. You can also use the AWS CLI or AWS API.
**Topics**
+ [Permissions required](#change-own-passwords-permissions-required)
+ [How IAM users change their own password (console)](#ManagingUserPwdSelf-Console)
+ [How IAM users change their own password (AWS CLI or AWS API)](#ManagingUserPwdSelf-CLIAPI)
## Permissions required
To change the password for your own IAM user, you must have the permissions from the following policy: [AWS: Allows IAM users to change their own console password on the Security credentials page](reference_policies_examples_aws_my-sec-creds-self-manage-password-only.md).
## How IAM users change their own password (console)
The following procedure describes how IAM users can use the AWS Management Console to change their own password.
**To change your own IAM user password (console)**
1. Use your AWS account ID or account alias, your IAM user name, and your password to sign in to the [IAM console](https://console.aws.amazon.com/iam).
**Note**
For your convenience, the AWS sign-in page uses a browser cookie to remember your IAM user name and account information. If you previously signed in as a different user, choose **Sign in to a different account** near the bottom of the page to return to the main sign-in page. From there, you can type your AWS account ID or account alias to be redirected to the IAM user sign-in page for your account.
To get your AWS account ID, contact your administrator.
1. In the navigation bar on the upper right, choose your user name, and then choose **Security credentials**.
![\[AWS Management Console Security credentials link\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/security-credentials-user.shared.console.png)
1. On the **AWS IAM credentials** tab, choose **Update password**.
1. For **Current password**, enter your current password. Enter a new password for **New password** and **Confirm new password**. Then choose **Update password**.
**Note**
The new password must meet the requirements of the account password policy. For more information, see [Set an account password policy for IAM users](id_credentials_passwords_account-policy.md).
## How IAM users change their own password (AWS CLI or AWS API)
The following procedure describes how IAM users can use the AWS CLI or AWS API to change their own password.
**To change your own IAM password, use the following:**
+ AWS CLI: [https://docs.aws.amazon.com/cli/latest/reference/iam/change-password.html](https://docs.aws.amazon.com/cli/latest/reference/iam/change-password.html)
+ AWS API: [https://docs.aws.amazon.com/IAM/latest/APIReference/API_ChangePassword.html](https://docs.aws.amazon.com/IAM/latest/APIReference/API_ChangePassword.html)