Profile Applicability: Level 1


Description:

Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure passwords are comprised of different character sets. It is recommended that the password policy requires at least one uppercase letter.


Rationale:

At least one symbol in the password and similar conditions such as minimum length, whether it requires nonalphabetic characters, and how frequently it must be rotated in users account will make a strong password, one of the best security practices.


Impact:

Setting a password complexity policy increases account resiliency against brute force login attempts.


Default Value:

By default, AWS will have only a few password policy and if you want to make custom policies you can follow the remediation steps.

Audit:

Perform the following to ensure the password policy is configured as prescribed: Via AWS Console 

Check the list of policies shown under the Password policy section to know whether the particular policy is enabled or not
CLI Command

  • To view the password policy:  aws iam get-account-password-policy

Remediation:

Pre-requisites

  • Login to AWS console with Administrator access

  • Approval Required from the client for remediation of the task

  • After auditing, if the found uppercase letter condition is not enabled then only perform the below steps.

Implementation steps

Perform the following to set the password policy as prescribed:

Using AWS Console

  1. Login to AWS Console 

  2. Go to IAM Service on the AWS Console https://console.aws.amazon.com/iam/

  3. Click on Account Settings on the Left Pane

  4. Click on the Change password policy button under the password policy section

  5.  Check the Require at least one uppercase letter from Latin alphabet (A-Z) check box and click on save changes

CLI Remediation

  • To create or change the custom password policyaws iam update-account-password-policy


Backout plan:

  • Login to AWS Console 

  • Go to IAM Service on the AWS Console https://console.aws.amazon.com/iam/

  • Click on Account Settings on the Left Pane

  • If you want to delete or change the custom policies click on Delete or Change buttons


CLI Command

  • To delete the custom password policyaws iam delete-account-password-policy


References:

CIS Controls:


16. Account Monitoring and Control

  • Account Monitoring and Control