Profile Applicability:
Level 1
Description:
AWS IAM password policies enforce password complexity requirements for users. It is recommended that the password policy require a minimum password length of 14 characters to enhance security against brute-force attacks.
Rationale:
A strong password policy significantly reduces the risk of brute force login attempts and unauthorized access to AWS resources. Enforcing a minimum password length of 14 characters increases password entropy, making them more resistant to attacks.
Impact:
Benefits of a Strong Password Policy:
- Increases password security against brute force attacks.
- Helps in meeting compliance requirements (CIS, SOC 2, HIPAA, PCI-DSS).
- Reduces risk of unauthorized access.
Potential Challenges:
- User convenience: Users may find longer passwords difficult to remember.
- Password management complexity: Organizations may need password managers or SSO solutions to handle long passwords securely.
Default Value:
AWS IAM password policy does not enforce a minimum password length by default.
Without a password policy, users can set passwords with weak or easily guessable patterns.
Pre-Requisites:
AWS Account Access:
IAM user with Administrator privileges or IAM policy allowing password policy modifications.
AWS CLI Installed (for automation purposes):
Ensure AWS CLI is configured with appropriate IAM permissions.
Organizational Approval:
Verify that IT/security teams agree to enforce a 14-character minimum password policy.
Remediation:
Test Plan:
Ensure that IAM password policies enforce a minimum password length of 14 characters.
Using AWS Console:
Login to AWS Console with IAM permissions.
Navigate to IAM Service: AWS IAM Console.
Click on Account Settings in the left navigation panel.
Locate Minimum password length and ensure it is set to 14 or greater.
If the setting is not configured correctly, proceed with remediation.
Using AWS CLI:
- Run the following command to check the existing password policy:
aws iam get-account-password-policy
- Ensure the output contains:
{
"MinimumPasswordLength": 14
}- If "MinimumPasswordLength" is less than 14, proceed with remediation.
Implementation Steps:
Using AWS Console:
Login to AWS Console with IAM permissions.
Navigate to IAM Service: AWS IAM Console.
Click Account Settings in the left panel.
Set Minimum password length to 14 or greater.
Click Apply password policy to enforce the new settings.
Using AWS CLI:
- Run the following command to enforce a 14-character minimum password length:
aws iam update-account-password-policy --minimum-password-length 14
- To further strengthen password security, enforce additional complexity requirements:
aws iam update-account-password-policy \
--minimum-password-length 14 \
--require-uppercase-characters \
--require-lowercase-characters \
--require-numbers \
--require-symbolsThis command ensures that IAM passwords:
- Are at least 14 characters long.
- Contain uppercase and lowercase letters.
- Include numbers and special characters for added security.
Backout Plan
- If enforcing a 14-character password policy causes issues: Temporarily reduce the length requirement using the following command:
aws iam update-account-password-policy --minimum-password-length 12
- Disable the policy update if required:
aws iam delete-account-password-policy
- Warning: Deleting the password policy will remove all password complexity requirements.