From 0b14a7338db1d809de8d6240e61978f15fc14492 Mon Sep 17 00:00:00 2001
From: Adar Nimrod <nimrod@shore.co.il>
Date: Thu, 1 Sep 2016 21:20:14 +0300
Subject: [PATCH] - Added entry to allow AWS users to change passwords and
 keys.

---
 content/aws_change_own_password.rst | 57 +++++++++++++++++++++++++++++
 content/static/policy.json          | 26 +++++++++++++
 2 files changed, 83 insertions(+)
 create mode 100644 content/aws_change_own_password.rst
 create mode 100644 content/static/policy.json

diff --git a/content/aws_change_own_password.rst b/content/aws_change_own_password.rst
new file mode 100644
index 0000000..610a139
--- /dev/null
+++ b/content/aws_change_own_password.rst
@@ -0,0 +1,57 @@
+Self service AWS IAM policy
+###########################
+
+:date: 2016-09-01
+:summary: AWS IAM policy to allow users to change their own password and manage
+          their own keys.
+
+A common practice for me a new member joins the team or when someone forgets
+his/ her AWS account password is to change the account password myself, send the
+new password over a unsecure channel (email, Slack) but force the account to
+change the password on first login. Also, I prefer to have users manage their
+own keys to AWS themselves. But without the correct IAM policy users aren't able
+to perform either action. Here's an IAM to allow both:
+
+.. code:: json
+
+    {
+        "Version": "2012-10-17",
+        "Statement": [
+            {
+                "Effect": "Allow",
+                "Action": [
+                    "iam:GetAccountPasswordPolicy",
+                    "iam:ListAccount*",
+                    "iam:GetAccountSummary",
+                    "iam:GetAccountPasswordPolicy",
+                    "iam:ListUsers"
+                ],
+                "Resource": "*"
+            },
+            {
+                "Effect": "Allow",
+                "Action": [
+                    "iam:ChangePassword",
+                    "iam:*LoginProfile",
+                    "iam:*AccessKey*",
+                    "iam:*SSHPublicKey*"
+                ],
+                "Resource": "arn:aws:iam::<INSERT AWS ACCOUNT ID HERE>:user/${aws:username}"
+            }
+        ]
+    }
+
+If you want a little script with the AWS CLI, here's one for you:
+
+.. code:: shell
+
+    tempfile=$(mktemp)
+    accountid="$(aws ec2 describe-security-groups \
+        --group-names 'Default' \
+        --query 'SecurityGroups[0].OwnerId' \
+        --output text)"
+    curl https://www.shore.co.il/blog/static/policy.json | sed "s/<INSERT AWS ACCOUNT ID HERE>/$accountid/" > $tempfile
+    aws iam create-policy \
+        --policy-name change-own-password \
+        --policy-document file://$tempfile
+    rm $tempfile
diff --git a/content/static/policy.json b/content/static/policy.json
new file mode 100644
index 0000000..c87c5b3
--- /dev/null
+++ b/content/static/policy.json
@@ -0,0 +1,26 @@
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": [
+                "iam:GetAccountPasswordPolicy",
+                "iam:ListAccount*",
+                "iam:GetAccountSummary",
+                "iam:GetAccountPasswordPolicy",
+                "iam:ListUsers"
+            ],
+            "Resource": "*"
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "iam:ChangePassword",
+                "iam:*LoginProfile",
+                "iam:*AccessKey*",
+                "iam:*SSHPublicKey*"
+            ],
+            "Resource": "arn:aws:iam::<INSERT AWS ACCOUNT ID HERE>:user/${aws:username}"
+        }
+    ]
+}
-- 
GitLab