Profile Applicability: Level 1


Description: 

Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure passwords are comprised of different character sets. It is recommended that the password policy requires a minimum length of 14 or greater.


Rationale: 

The password policy should enforce passwords contain a minimum of 14 characters, and similar conditions such as minimum length, whether it requires nonalphabetic characters, and how frequently it must be rotated in users account, will make a strong password. It's one of the best security practices.


Impact:

Setting a password complexity policy increases account resiliency against brute force login attempts.

 

Default Value:

By default, AWS will have only a few password policy and if you want to make custom policies you can follow the remediation steps.


Pre-requisites:

  • Login to AWS console with Administrator access

  • After auditing, if you found minimum length is not 14 then only perform the below steps.


Remediation:

Test Plan:

Using AWS Console 

  1. Login to AWS Console 

  2. Go to IAM Service on the AWS Console https://console.aws.amazon.com/iam/

  3. Click on Account Settings on the Left Pane 

  4. Check the list of policies shown under Password policy section to know whether the particular policy is enabled or not


Using AWS CLI:

To view the password policy:

aws iam get-account-password-policy


Implementation steps:

Perform the following to set the password policy as prescribed:

  1. Login to AWS Console 

  2. Go to IAM Service on the AWS Console https://console.aws.amazon.com/iam/

  3. Click on Account Settings on the Left Pane

  4. Click on Change password policy button under the password policy section

  5. In Enforce minimum password length option mention minimum length as 14 or greater and click on save changes

Using AWS CLI:

To create or change the custom password policy:

aws iam update-account-password-policy --minimum-password-length 14


Backout plan:

  • Login to AWS Console 

  • Go to IAM Service on the AWS Console https://console.aws.amazon.com/iam/

  • Click on Account Settings on the Left Pane

  • If you want to delete or change the custom policies click on Delete or Change buttons


Using AWS CLI:

To delete the custom password policy:

aws iam delete-account-password-policy


References:

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html#IAMPasswordPolicy


CIS Controls:

16. Account Monitoring and Control

Account Monitoring and Control