diff --git a/modules/security_identity_compliance/iam-user-gpg/README.md b/modules/security_identity_compliance/iam-user-gpg/README.md
new file mode 100644
index 0000000..0397790
--- /dev/null
+++ b/modules/security_identity_compliance/iam-user-gpg/README.md
@@ -0,0 +1,53 @@
+# iam-user module
+Module for creating IAM user. Credentials, if any, will be encrypted with gpg key. To obtain gpg public key of a user, run
+```bash
+gpg --export key-owner-name | base64
+```
+
+To decrypt the encrypted data
+```bash
+terraform output iam-user-pass  | tr -d \" | base64 -d | gpg -d
+terraform output iam-user-secret-key  | tr -d \" | base64 -d | gpg -d
+```
+
+## Example
+```terraform
+module iam-user {
+  source = "../../modules/security_identity_compliance/iam-user"
+
+  default-tags    = local.default-tags
+  iam-user-name   = var.iam-user-name
+  iam-user-policy = data.aws_iam_policy_document.user-policy.json
+  iam-user-policy-name = "SelfServicePermissions"
+  create-access-key = false
+  create-password = false
+  managed-policy-arns = ["arn:aws:iam::aws:policy/job-function/ViewOnlyAccess"]
+  create-group = true
+  iam-group-name = var.iam-group-name
+}
+
+data aws_iam_policy_document user-policy {
+  statement {
+    sid = "ManageOwnCredentials"
+
+    actions = [
+      "iam:ChangePassword",
+      "iam:CreateAccessKey",
+      "iam:DeleteAccessKey",
+      "iam:ListAccessKey",
+      "iam:CreateVirtualMFADevice",
+      "iam:EnableMFADevice",
+      "iam:ListMFA*",
+      "iam:ListVirtualMFA*",
+      "iam:ResyncMFADevice"
+    ]
+
+    effect = "Allow"
+    resources = ["arn:aws:iam::account-id:user/${var.iam-user-name}"]
+  }
+}
+
+output iam-user-arn {
+  value = module.iam-user.iam-user-arn
+}
+```
\ No newline at end of file
diff --git a/modules/security_identity_compliance/iam-user-gpg/main.tf b/modules/security_identity_compliance/iam-user-gpg/main.tf
new file mode 100644
index 0000000..7643da7
--- /dev/null
+++ b/modules/security_identity_compliance/iam-user-gpg/main.tf
@@ -0,0 +1,68 @@
+resource "aws_iam_user" "iam-user" {
+  name          = var.iam-user-name
+  tags          = var.default-tags
+  force_destroy = true
+}
+
+resource "aws_iam_access_key" "iam-user-access-key" {
+  count = var.create-access-key ? 1 : 0
+  user  = aws_iam_user.iam-user.name
+  pgp_key = var.pgp-key
+}
+
+resource "aws_iam_user_policy" "iam-user-policy" {
+  count = var.create-group ? 0 : 1
+  name   = var.iam-user-policy-name
+  user   = aws_iam_user.iam-user.name
+  policy = var.iam-user-policy
+}
+
+resource "aws_iam_user_policy_attachment" "iam-user-managed-policies" {
+  count = var.create-group ? 0: length(var.managed-policy-arns)
+  user       = aws_iam_user.iam-user.name
+  policy_arn = var.managed-policy-arns[count.index]
+}
+
+resource "random_password" "iam-user-pass" {
+  count   = var.create-password ? 1 : 0
+  length  = 20
+  special = true
+}
+
+resource "aws_iam_user_login_profile" "iam-user-profile" {
+  count = var.create-password ? 1 : 0
+  user  = aws_iam_user.iam-user.name
+  pgp_key = var.pgp-key
+}
+
+resource aws_iam_group iam-group {
+  count = var.create-group ? 1 : 0
+  name = var.iam-group-name
+}
+
+resource aws_iam_group_membership new-group-membership {
+  count = length(aws_iam_group.iam-group)
+  name = aws_iam_group.iam-group[0].name
+  group = aws_iam_group.iam-group[0].name
+  users = [aws_iam_user.iam-user.name]
+}
+
+resource aws_iam_group_membership existing-group-membership {
+  count = length(var.add-to-groups)
+  name = var.add-to-groups[count.index]
+  group = var.add-to-groups[count.index]
+  users = [aws_iam_user.iam-user.name]
+}
+
+resource "aws_iam_group_policy" "iam-group-policy" {
+  count = var.create-group ? 1 : 0
+  name   = "SelfServiceAccess"
+  group   = aws_iam_group.iam-group[0].name
+  policy = var.iam-user-policy
+}
+
+resource "aws_iam_group_policy_attachment" "iam-group-managed-policies" {
+  count = var.create-group ? length(var.managed-policy-arns) : 0
+  group       = aws_iam_group.iam-group[0].name
+  policy_arn = var.managed-policy-arns[count.index]
+}
diff --git a/modules/security_identity_compliance/iam-user-gpg/outputs.tf b/modules/security_identity_compliance/iam-user-gpg/outputs.tf
new file mode 100644
index 0000000..63d50b1
--- /dev/null
+++ b/modules/security_identity_compliance/iam-user-gpg/outputs.tf
@@ -0,0 +1,19 @@
+output iam-user-name {
+  value = aws_iam_user.iam-user.name
+}
+
+output iam-user-arn {
+  value = aws_iam_user.iam-user.arn
+}
+
+output iam-user-pass {
+  value = try(aws_iam_user_login_profile.iam-user-profile[0].encrypted_password, "")
+}
+
+output iam-user-access-key {
+  value = try(aws_iam_access_key.iam-user-access-key[0].id, "")
+}
+
+output iam-user-secret-key {
+  value = try(aws_iam_access_key.iam-user-access-key[0].encrypted_secret, "")
+}
\ No newline at end of file
diff --git a/modules/security_identity_compliance/iam-user-gpg/variables.tf b/modules/security_identity_compliance/iam-user-gpg/variables.tf
new file mode 100644
index 0000000..5b78307
--- /dev/null
+++ b/modules/security_identity_compliance/iam-user-gpg/variables.tf
@@ -0,0 +1,27 @@
+variable iam-user-name {}
+variable iam-user-policy {}
+variable create-access-key {
+  type = bool
+}
+variable create-password {
+  type = bool
+}
+variable default-tags {}
+variable managed-policy-arns {}
+variable create-group {
+  type = bool
+}
+variable iam-group-name {
+  type = string
+  default = ""
+}
+
+variable add-to-groups {
+  type = list
+  default = []
+}
+variable iam-user-policy-name {}
+variable pgp-key {
+  type = string
+  default = ""
+}
\ No newline at end of file