Introduction
Password rotation is a healthy security behaviour as it ensures that any passwords that may have been leaked, either due to a reuse, or breach, or inadvertently by the user, become irrelevant. The AWS CIS Foundations Benchmark also flags an IAM user whose password has not been changed in the last 90 days as non-compliant. It is recommended to change your password periodically and never reuse it on another site or service.
AWS allows to manage passwords for the users. In this article we will go through the steps to change the password for an IAM user using AWS console.
Change password for an IAM user
Following are the steps to change the password for an IAM user via AWS console:
-
Login to AWS Management Console and navigate to IAM service
-
Under Access management on IAM dashboard, go to Users
-
We can see the Password age column for each user. This indicates how old is a user’s console password
-
To update a user’s console password, click on the user name for that user
-
On Summary page, click on Security credentials tab
-
Click on Manage console access button
-
Select one of the 3 options under Set password section
-
Check the User must create new password at next sign-in checkbox if you require the user to set a new password during their next sign-in, else if you are setting the new password to be used for user login in step 7 itself, then you can skip this step
-
Finally, click on Apply button

Riyaz Walikar
Founder & Chief of R&D
Riyaz is the founder and Chief of R&D at Kloudle, where he hunts for cloud misconfigurations so developers don’t have to. With over 15 years of experience breaking into systems, he’s led offensive security at PwC and product security across APAC for Citrix. Riyaz created the Kubernetes security testing methodology at Appsecco, blending frameworks like MITRE ATT&CK, OWASP, and PTES. He’s passionate about teaching people how to hack—and how to stay secure.

Riyaz Walikar
Founder & Chief of R&D
Riyaz is the founder and Chief of R&D at Kloudle, where he hunts for cloud misconfigurations so developers don’t have to. With over 15 years of experience breaking into systems, he’s led offensive security at PwC and product security across APAC for Citrix. Riyaz created the Kubernetes security testing methodology at Appsecco, blending frameworks like MITRE ATT&CK, OWASP, and PTES. He’s passionate about teaching people how to hack—and how to stay secure.