- Added entry to allow AWS users to change passwords and keys.

0b14a733 · nimrod · a8f01305 · 0b14a733 · 0b14a733
Commit 0b14a733 authored 8 years ago by nimrod
--- a/content/aws_change_own_password.rst
+++ b/content/aws_change_own_password.rst
+Self service AWS IAM policy
+###########################
+
+:date: 2016-09-01
+:summary: AWS IAM policy to allow users to change their own password and manage
+          their own keys.
+
+A common practice for me a new member joins the team or when someone forgets
+his/ her AWS account password is to change the account password myself, send the
+new password over a unsecure channel (email, Slack) but force the account to
+change the password on first login. Also, I prefer to have users manage their
+own keys to AWS themselves. But without the correct IAM policy users aren't able
+to perform either action. Here's an IAM to allow both:
+
+.. code:: json
+
+    {
+        "Version": "2012-10-17",
+        "Statement": [
+            {
+                "Effect": "Allow",
+                "Action": [
+                    "iam:GetAccountPasswordPolicy",
+                    "iam:ListAccount*",
+                    "iam:GetAccountSummary",
+                    "iam:GetAccountPasswordPolicy",
+                    "iam:ListUsers"
+                ],
+                "Resource": "*"
+            },
+            {
+                "Effect": "Allow",
+                "Action": [
+                    "iam:ChangePassword",
+                    "iam:*LoginProfile",
+                    "iam:*AccessKey*",
+                    "iam:*SSHPublicKey*"
+                ],
+                "Resource": "arn:aws:iam::<INSERT AWS ACCOUNT ID HERE>:user/${aws:username}"
+            }
+        ]
+    }
+
+If you want a little script with the AWS CLI, here's one for you:
+
+.. code:: shell
+
+    tempfile=$(mktemp)
+    accountid="$(aws ec2 describe-security-groups \
+        --group-names 'Default' \
+        --query 'SecurityGroups[0].OwnerId' \
+        --output text)"
+    curl https://www.shore.co.il/blog/static/policy.json | sed "s/<INSERT AWS ACCOUNT ID HERE>/$accountid/" > $tempfile
+    aws iam create-policy \
+        --policy-name change-own-password \
+        --policy-document file://$tempfile
+    rm $tempfile
--- a/content/static/policy.json
+++ b/content/static/policy.json
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": [
+                "iam:GetAccountPasswordPolicy",
+                "iam:ListAccount*",
+                "iam:GetAccountSummary",
+                "iam:GetAccountPasswordPolicy",
+                "iam:ListUsers"
+            ],
+            "Resource": "*"
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "iam:ChangePassword",
+                "iam:*LoginProfile",
+                "iam:*AccessKey*",
+                "iam:*SSHPublicKey*"
+            ],
+            "Resource": "arn:aws:iam::<INSERT AWS ACCOUNT ID HERE>:user/${aws:username}"
+        }
+    ]
+}