Profile Applicability: Level 1


Description:

IAM policy is a document that allows or denies permission to AWS service and resources. IAM also maintains the password policies. IAM password policies can prevent the reuse of a given password by the same user. It is recommended that the password policy prevent the reuse of passwords. IAM enables you to manage access to AWS services resources securely, It gives you the flexibility to configure access based on your company’s specific operational and security needs. It fixes the policies for the authentication for users, groups, and roles.


Rationale:

Use the same previous password or reuse the password may be vulnerable it increases the account resiliency against brute force login attempts.


Impact:

By rotating the console password periodically it helps in preventing the use of the previous passwords and enhancing security.


Default Value:


By default, AWS will have only a few password policy and if you want to make custom policies you can follow the remediation steps.



Audit:

Perform the following to ensure the password policy is configured as prescribed: Via AWS Console 

  1. Login to AWS Console 

  2. Go to IAM Service on the AWS Console https://console.aws.amazon.com/iam/

  3. Click on Account Settings on the Left Pane 

  4. Check the list of policies shown under Password policy section to know whether the particular policy is enabled or not 

Via CLI:

Run the following commands to view the password policy

aws iam get-account-password-policy




Remediation:

Pre Requisite

Before starting the configuration of the IAM password policy we need to keep in mind the following:

  1. Avoid the login through the Root user.

  2.  Only authorized persons (i.e, admins) can access the IAM console.


Implementation Steps

Perform the following to set the password policy as prescribed:

  1. Log in to AWS account with Admin access 
  2. Go to IAM Service on the AWS Console https://console.aws.amazon.com/iam/
  3. Click on Account Setting on the left navigation  pane, under Identity and Access Management(IAM) Dashboard 
  4.  We see password policy click on change button

  5. After clicking on the change you will be directed to Modify password policy panel, there click on the check box as shown in the image which prevents password reuse, and here we can set the remember passwords to “24” (We recommend you to set it to 24 but you can change it ranging from 1-24 as per your security concern) and click on save changes button


CLI Remediation:


aws iam update-account-password-policy --password-reuse-prevention 24


Backout Plan:

If you want to proceed with previous settings go through the Implementation steps section and uncheck the prevent password reuse option. Or else if you just want to change remember password value go through the Implementation steps section and in the option where you want to choose to remember the password value give the previous value or value you want to change.


References:


CIS Controls:


4.4 Use Unique Passwords

  • Where multi-factor authentication is not supported (such as local administrator, root, or service accounts), accounts will use passwords that are unique to that system.