An organization has created 50 IAM users. The organization wants that each user can change their password
but cannot change their access keys. How can the organization achieve this?
A.
The organization has to create a special password policy and attach it to each user
B.
The root account owner has to use CLI which forces each IAM user to change their password on first login
C.
By default each IAM user can modify their passwords
D.
The root account owner can set the policy from the IAM console under the password policy screen
Explanation:
With AWS IAM, organizations can use the AWS Management Console to display, create, change or delete a
password policy. As a part of managing the password policy, the user can enable all users to manage their own
passwords. If the user has selected the option which allows the IAM users to modify their password, he does
not need to set a separate policy for the users. This option in the AWS console allows changing only the
password.
Answer is D
http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_enable-user-change.html
Allow only selected IAM users to change their own passwords. In this scenario, you disable the option for all users to change their own passwords and you use an IAM policy to grant permissions to only some users to change their own passwords and optionally other credentials like their own access keys.
D.
The root account owner can set the policy from the IAM console under the password policy screen
d
ddddddd
d
d
Obviously D
A, you need to create and assign to each user a policy that would deny him creation of the access keys …
“Important
The password settings described here apply only to passwords assigned to IAM users and do not affect any access keys they might have.”
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_delegate-permissions_examples.html#creds-policies-credentials
Allow Users to Manage Their Own Passwords, Access Keys, and SSH Keys
The following policy allows users to perform these actions in the AWS Management Console:
Create, change, or remove their own password. This includes the CreateLoginProfile, DeleteLoginProfile, GetLoginProfile, and UpdateLoginProfile actions.
Create or delete their own access key (access key ID and secret access key). This includes the CreateAccessKey, DeleteAccessKey, GetAccessKeyLastUsed, ListAccessKeys, and UpdateAccessKey actions.
Create or delete their own SSH keys. This includes the UploadSSHPublicKey, DeleteSSHPublicKey, GetSSHPublicKey, ListSSHPublicKeys, and UpdateSSHPublicKey actions.
{
“Version”: “2012-10-17”,
“Statement”: [
{
“Effect”: “Allow”,
“Action”: [
“iam:*LoginProfile”,
“iam:*AccessKey*”,
“iam:*SSHPublicKey*”
],
“Resource”: “arn:aws:iam::account-id-without-hyphens:user/${aws:username}”
},
{
“Effect”: “Allow”,
“Action”: [
“iam:ListAccount*”,
“iam:GetAccountSummary”,
“iam:GetAccountPasswordPolicy”,
“iam:ListUsers”
],
“Resource”: “*”
}
]
}
The actions in the preceding policy include wildcards (for example, iam:*LoginProfile,iam:*AccessKey*, and iam:*SSHPublicKey*). This is a convenient way to include a set of related actions. If you want to remove permissions for any one of the related actions, you must instead list each of the individual actions. For example, if you don’t want users to be able to delete a password, you must individually list iam:CreateLoginProfile, iam:GetLoginProfile, and iam:UpdateLoginProfile, and omit iam:DeleteLoginProfile.
Answer should be D.
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys_retrieve.html
IAM user password – If you are an IAM user and you forget your password, you must ask your administrator to reset your password. To learn how an administrator can manage your password, see Managing Passwords for IAM Users.
IAM user access keys – If you are an IAM user and you forget your access keys, you will need new access keys. If you have permission to create your own access keys, you can find instructions for creating a new one at Creating, Modifying, and Viewing Access Keys (Console). If you do not have the required permissions, you must ask your administrator to create new access keys. If you are still using your old keys, ask your administrator not to delete the old keys. To learn how an administrator can manage your access keys, see Managing Access Keys for IAM Users.