Changing temporary passwords to permanent passwords immediately after system logon ensures that the necessary strength of the authentication mechanism is implemented at the earliest opportunity, reducing the susceptibility to authenticator compromises. 

Priority: High   

Category: Centralized Controls Management 

Services Associated with AWS:   

  • AWS Identity and Access Management (IAM) 

Objective Evidence: 

  • Administrative: documented policies, standards & procedures
  • Administrative: supporting documentation to demonstrate how Identity & Access Management (IAM) practices are implemented
  • Administrative: supporting documentation to demonstrate the "secure practices" used to build technology platform-specific secure baseline configurations
  • Technical: screenshot of configuration settings 

Possible Technology Considerations : 

  • Identity & Access Management (IAM)
  • Secure Baseline Configurations (SBC) 

What needs to be answered :  

Do new employees receive an account and instructions for creating a password during the hiring process? Do new employees receive notification of their account, and are they required to reset their initial passwords? Are temporary password activation links sent to validated employees should they require a password reset or change? Are temporary passwords only good to allow for a password reset? Does the system enforce immediate password change after logon when a temporary password is issued for a lost or forgotten password? 

  • Immediate Change from Temporary to Permanent Password
    Description: This check ensures that organizations require users to immediately change their temporary passwords to permanent passwords upon system logon. Temporary passwords are typically issued for initial access to systems or for password reset processes. Requiring an immediate change from a temporary password to a permanent password strengthens the authentication mechanism by ensuring that users set a new password that meets the organization's password complexity requirements. This reduces the risk of unauthorized access due to compromised temporary passwords.

More Details:   

Users issued temporary passwords on account creation or password reset with a requirement to change password upon first logging in with temporary password.