---
title: "Defining a Policy for Sub-Users to Change Passwords and Enable MFA"
slug: "how-do-i-allow-sub-users-to-change-passwords-and-enable-mfa"
description: "By default, sub-users on an account do not have permission to change passwords or enable Multi-Factor Authentication (MFA). If a sub-user attempts to change a password or enable MFA, an error message will display. A Root account user can define an IAM policy to grant sub-users the ability to change passwords and enable MFA. The policy will not allow sub-users to disable or delete MFA."
updated: 2026-01-07T17:34:39Z
published: 2026-01-07T17:34:39Z
---

> ## Documentation Index
> Fetch the complete documentation index at: https://docs.wasabi.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Defining a Policy for Sub-Users to Change Passwords and Enable MFA

By default, sub-users on an account do not have permission to change passwords or enable Multi-Factor Authentication (MFA). If a sub-user attempts to change a password or enable MFA, an error message will display.

A Root account user can define an IAM policy to grant sub-users the ability to change passwords and enable MFA. The policy will not allow sub-users to disable or delete MFA.

## Creating the IAM Policy

1. You will need your Wasabi account number in the following instructions. To find it, click **Users**(in the Wasabi menu). On the Users list, note the ARN column. The ARN includes your account number, which is the same for every sub-user under the account. In this example, 100001028168 is the account number:

![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/image-TYHLMWTQ.png)
2. Click **Policies**on the Wasabi menu.
3. Click **Create Policy**.
4. Enter a policy name. A list of names may be suggested from which you can select. But you can enter any name.
5. Optionally, enter a description.

![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/image-ZCT093QC.png)
6. Copy and paste the following policy content into the Policy Editor.

```json
{
                "Version": "2012-10-17",
                "Statement": [
                {
                "Effect": "Allow",
                "Action": [
                "iam:GetAccountPasswordPolicy",
                "iam:ListVirtualMFADevices"
                ],
                "Resource": "*"
                },
                {
                "Sid": "AllowUserToCreateVirtualMFADevice",
                "Effect": "Allow",
                "Action": "iam:CreateVirtualMFADevice",
                "Resource": [
                "arn:aws:iam::AccountNumber:mfa/*",
                "arn:aws:iam::AccountNumber:user/${aws:username}"
                ]
                },
                {
                "Sid": "AllowUserToManageOwnMFA",
                "Effect": "Allow",
                "Action": [
                "iam:EnableMFADevice",
                "iam:GetUser",
                "iam:ListMFADevices",
                "iam:ResyncMFADevice"
                ],
                "Resource": [
                "arn:aws:iam::AccountNumber:user/${aws:username}",
                "arn:aws:iam::AccountNumber:mfa/*"
                ]
                },
                {
                "Sid": "AllowUsersToChangePassword",
                "Effect": "Allow",
                "Action": [
                "iam:ChangePassword",
                "iam:GetLoginProfile",
                "iam:UpdateLoginProfile"
                ],
                "Resource": "arn:aws:iam::AccountNumber:user/${aws:username}"
                }
                ]
                }
```

Change AccountNumber to match your Wasabi account number. This number is found in the Users list. For example:

![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/image-TYHLMWTQ.png)
7. When you see a message that the policy is valid, you can click **Create Policy**to create the new policy.

![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/image-1719063308617.png)

## Applying the Policy to a Group or Individual Sub-User

Wasabi recommends that you apply the policy to a group of sub-users.

1. Click **Groups**.
2. Click the name of the group to which this policy will apply.
3. Scroll down and open the **Policies** drop-down.
4. In the Search box, enter the policy name to select it.

![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/image-1719063802799.png)

To apply the policy to an individual sub-user:

1. Click **Users**.
2. Click the name of the sub-user to which this policy will apply.
3. Scroll down and open the **Policies** drop-down.
4. In the Search box, enter the policy name to select it.

![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/image-1719063672640.png)