Forced password reset for AWS IAM users can be enabled and managed in the AWS IAM Console.
In AWS Console -
- Sign in to the AWS Console and go to the IAM console.
- Choose Users in the navigation pane and select a user to edit.
- Select Security Credentials.
- Choose Enable Console Access button and select enable.
- Choose the option User must create new password at next sign-in and select Apply.
When creating a new user:
- Sign in to the AWS Console and go to the IAM console.
- Choose Users in the navigation pane.
- Select Add user.
- Choose the option Provide user access to the AWS Management Console.
- Select next and choose Create User.
In Terraform -
- In the aws_iam_user_login_profile resource, set the password_reset_required field to true. This sets the reset policy for the initial resource creation and will only require users to reset their passwords on the first login.
References:
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_login_profile