The custom password policy on your AWS account to specify complexity requirements and mandatory rotation periods for the IAM user’s passwords, IAM password policies can require passwords to rotated or expired after a given number of days. This policy validates that the account password policy enforcing that after some time period change the password.
The most important thing that why we do these kinds of policy is if the user is active for the last 90 days, and the user hasn’t updated the password it will disable the user account temporarily until he changes the account password.
It also helps some following scenarios:
The impact of this policy will prevent users from using the same password, and it prevents brute force login. Actually, password expiration has not locked in the user's account or disabled once the password expires, the user is simply forced to change their password once they log on after the expiration date. It makes it best practice for the user to be changed the password periodically and perhaps frequently. Changing your password every 90 days or less prevents the risk from the attackers.
The IAM policy does not apply to the AWS account root user password or IAM user access keys. Here I would like to give some examples If you set a password expiration period of 90 days. In that case, the password expires for all IAM users whose existing password is older than 90 days. Those users are required to change their password in their next sign-in.
By default, password expiration is not enabled, If we click on the check box to enable this it always takes 90 days for passwords to expire.
Run the below AWS CLI command to get the age of the password
aws iam get-account-password-policy
- Login to AWS Console with Admin access
- Go to IAM Service https://console.aws.amazon.com/iam/
- Click on Account Setting
- Click on the Change button
- In Modify password policy click on the check box of “Enable password expiration” and here we recommend you to set 90 days(you can set it ranging from 1 to 1095 days as per your organization policy requirement)
- Click on Save Changes button
Following command to set the maximum age of password here, I give the value 90 days (you can set 1 day to 1095 days as per organization policy requirement)
aws iam update-account-password-policy --max-password-age 90
If you want to revoke changes or disable the expiration value follow steps 1-4 from the Implementation steps section and then in step 5 where you want to change value Or else if you don't want to continue with this policy you can uncheck the box of Enable password Expiration and click on the Save changes button.