AWS Certified SysOps Administrator – Associate (legacy) — Question 253

An organization has created 50 IAM users. The organization wants that each user can change their password but cannot change their access keys. How can the organization achieve this?

Answer options

• A. The organization has to create a special password policy and attach it to each user
• B. The root account owner has to use CLI which forces each IAM user to change their password on first login
• C. By default each IAM user can modify their passwords
• D. The root account owner can set the policy from the IAM console under the password policy screen

Correct answer: D

Explanation

The correct answer is D because the root account owner can indeed set policies that control password management through the IAM console. Options A and B are incorrect because they suggest unnecessary steps or misinterpret the default permissions. Option C is misleading as it does not address the restrictions on access keys.