Description:
This policy ensures that password lockout policy settings are enabled for all domain users. This is important for security, as it helps to protect user accounts from unauthorized access.
Rationale:
If an attacker successfully guesses a user's password, they can then use that password to access the user's account. By enabling password lockout policy settings, organizations can help to prevent attackers from gaining unauthorized access to user accounts after they have guessed a password.
Impact:
The impact of enabling password lockout policy settings for all domain users will vary depending on the specific organization. However, in general, this policy will help to improve the security of the organization's user accounts and reduce the risk of unauthorized access.
Default Value:
AWS will initially recommend that organizations enable password lockout policy settings for all domain users. However, the specific implementation of this policy will vary depending on the organization's specific needs.
Pre-requisites:
To enable password lockout policy settings for all domain users, the following pre-requisites must be met:
- The organization must have an Active Directory domain.
- The organization must have the appropriate permissions to manage Active Directory.
- The organization must have a process for enabling password lockout policy settings.
Remediation Steps:
If password lockout policy settings are not enabled for all domain users, the organization must take steps to remediate the issue. The remediation steps will vary depending on the specific situation.
Test Plan:
The organization should develop a test plan to verify that password lockout policy settings are enabled for all domain users. The test plan should include steps to verify that the settings are working properly, and that users are being locked out after a certain number of failed login attempts.
Implementation Plan:
The organization should develop an implementation plan to ensure that password lockout policy settings are enabled for all domain users. The implementation plan should include steps to develop a process for enabling password lockout policy settings, and to train employees on the process.
AWS CLI Process:
To enable password lockout policy settings for all domain users using the AWS CLI, the following command can be used:
aws iam create-password-policy --policy-name <policy-name> --policy-document file://policy.json
This command will create a new password policy with the specified name and policy document.
Using AWS GUI:
To enable password lockout policy settings for all domain users using the AWS GUI, the following steps can be followed:
- Go to the AWS IAM console.
- Click on the "Password Policies" tab.
- Click on the "Create Policy" button.
- Select the "JSON" tab.
- Paste the following policy document into the text box:
{ "Version": "2012-10-17", "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Sid": "RequireStrongPasswords", "Effect": "Require", "Rule": { "Length": { "Min": 8 }, "RequireUppercase": true, "RequireLowercase": true, "RequireNumbers": true, "RequireSymbols": true } }, { "Sid": "LockoutAccountAfterFailedLoginAttempts", "Effect": "Deny", "Rule": { "MaxFailedLoginAttempts": 5, "RequireResetOnFailedLogin": true } } ] } }
- Click on the "Create Policy" button.
Backout Plan:
If the policy to enable password lockout policy settings for all domain users is not working properly, the organization may need to back out of the policy. To do this, the organization can delete the policy.
Note:
- This policy is not intended to be a comprehensive guide to enabling password lockout policy settings. For more information, please refer to the AWS IAM documentation.
- This policy is subject to change.
Reference:
- AWS IAM documentation: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html
Section 2:
- Tags and Keywords: passwords, security, policy, lockout, domain