Profile Applicability: Level 1


Description:

The custom password policy on your AWS account to specify complexity requirements and mandatory rotation periods for the IAM user’s passwords, IAM password policies can require passwords to rotated or expired after a given number of days. This policy validates that the account password policy enforcing that after some time period change the password. 


Rationale:

The most important thing that why we do these kinds of policy is if the user is active for the last 90 days, and the user hasn’t updated the password it will disable the user account temporarily until he changes the account password.

It also helps some following scenarios:

  • Many people use the same password for many systems such as work, email, and personal. If we implement this policy password change is required for these kinds of people.

  • Passwords can be stolen or compromised sometimes without your knowledge. This can happen via a system corporate and government web filters or proxy servers that have the ability to intercept and record traffic even if it’s encrypted.

  • Some corporate and governments have the ability to intercept and record encrypted traffic.


Impact:

The impact of this policy will prevent users from using the same password, and it prevents brute force login. Actually, password expiration has not locked in the user's account or disabled once the password expires, the user is simply forced to change their password once they log on after the expiration date. It makes it best practice for the user to be changed the password periodically and perhaps frequently. Changing your password every 90 days or less prevents the risk from the attackers.

The IAM policy does not apply to the AWS account root user password or IAM user access keys. Here I would like to give some examples If you set a password expiration period of 90 days. In that case, the password expires for all IAM users whose existing password is older than 90 days. Those users are required to change their password in their next sign-in.


Default Value:

By default, password expiration is not enabled, If we click on the check box to enable this it always takes 90 days for passwords to expire.


Audit:

Perform the following to ensure the password policy is configured as prescribed: Via AWS Console 

  1. Login to AWS Console 

  2. Go to IAM Service on the AWS Console https://console.aws.amazon.com/iam/

  3. Click on Account Settings on the Left Pane 

  4. Check the list of policies shown under Password policy section to know whether the particular policy is enabled or not 

Via CLI:


Run the below AWS CLI command to get the age of the password

aws iam get-account-password-policy


Remediation:

Pre-Requisite:

  1. Login to AWS console as admin or authorized user

  2. Permit IAM users to change their own passwords.

Implementation Steps:

  1. Login to AWS Console with Admin access
  2. Go to IAM Service https://console.aws.amazon.com/iam/
  3.  Click on Account Setting  
  4.  Click on the Change button 
  5. In Modify password policy click on the check box of “Enable password expiration” and here we recommend you to set 90 days(you can set it ranging from 1 to 1095 days as per your organization policy requirement)
  6. Click on Save Changes button

Via CLI:

Following command to set the maximum age of password here, I give the value 90 days (you can set  1 day to 1095 days as per organization policy requirement) 

aws iam update-account-password-policy --max-password-age 90


Backout Plan:

If you want to revoke changes or disable the expiration value follow steps 1-4 from the Implementation steps section and then in step 5 where you want to change value Or else if you don't want to continue with this policy you can uncheck the box of Enable password Expiration and click on the Save changes button.


Reference:

  1. Setting an account password policy for IAM users - AWS Identity and Access Management  

  2.  Setting an account password policy for IAM users - AWS Identity and Access Management   

CIS Controls:


16. Account Monitoring and Control

  • Account Monitoring and Control