Quick Fix: Force IAM User Password Rotation

Outcome

The IAM user's current password will be replaced with a temporary password and they will be required to set a new password at their next console sign-in. This addresses stale passwords that have exceeded your organization's maximum password age.

For example, after applying this fix:

• An IAM user ops-engineer whose password is 120 days old will be forced to choose a new password at next sign-in
• An IAM user analyst whose password may have been shared will have their old password invalidated immediately

Fix

Step 1: Set the target user

USER_NAME="the-user-to-rotate"

Step 2: Reset the password and require change at next sign-in

Generate a temporary password and force the user to change it on their next console sign-in:

TEMP_PASSWORD=$(aws secretsmanager get-random-password \
  --password-length 32 \
  --require-each-included-type \
  --query RandomPassword --output text)

aws iam update-login-profile \
  --user-name "${USER_NAME}" \
  --password "${TEMP_PASSWORD}" \
  --password-reset-required

Securely communicate the temporary password to the user so they can sign in and set their own password.

Verify the fix

Confirm the login profile now requires a password reset:

aws iam get-login-profile \
  --user-name "${USER_NAME}" \
  --query 'LoginProfile.PasswordResetRequired'

This should return true.

References

• AWS: Manage passwords for IAM users
• AWS: Set an account password policy for IAM users

Gotcha

The temporary password must meet the account's IAM password policy (minimum length, complexity requirements, etc.). If update-login-profile fails with a PasswordPolicyViolation error, check the account password policy with aws iam get-account-password-policy and generate a conforming password. The example above uses get-random-password with --require-each-included-type which satisfies most policies, but you may need to adjust --password-length if your policy requires a longer minimum.

---

Last update: February 5, 2026