This CloudFormation template does the following
- creates a user “JohnDoe”
- assigns him an IAM policy names IAMUserChangePassword which allows him to change his password.
- at first login the user will be prompted to change his password, this is achieved with the ‘PasswordResetRequired: “true”‘ declaration.
- When creating the stack the creator of the stack is prompted for a default password for this user
By default this user has no other rights except changing his own password.
AWSTemplateFormatVersion: "2010-09-09" Description: > This template creates an IAM user named 'JohnDoe' And permissions for him to change his password. Parameters: password: NoEcho: true Description: Password for the IAM User Type: String Resources: johndoe: Type: AWS::IAM::User Properties: ManagedPolicyArns: - arn:aws:iam::aws:policy/IAMUserChangePassword LoginProfile: Password: !Ref password PasswordResetRequired: "true"