Difference between revisions of "DenyAllExceptListedIfNoMFA"
Jump to navigation
Jump to search
Line 7: | Line 7: | ||
== See also == | == See also == | ||
* {{MFA}} | * {{MFA}} | ||
+ | |||
+ | [[Category:MFA]] |
Latest revision as of 11:33, 2 November 2021
This example policy does not allow users to reset a password while signing in for the first time. AWS recommends that you do not grant permissions to new users until after they sign in. For more information, see How do I securely create IAM users?. This also prevents users with an expired password from resetting their password before signing in. You can allow this by adding iam:ChangePassword and iam:GetAccountPasswordPolicy to the statement DenyAllExceptListedIfNoMFA. However, IAM does not recommend this. Allowing users to change their password without MFA can be a security risk.
See also[edit]
Advertising: