Profile Applicability:

Level 1

Description:

AWS IAM password policies can be configured to prevent users from reusing old passwords. It is recommended that IAM password policies remember the last 24 passwords to prevent reuse and increase account security.

Rationale:

Preventing password reuse enhances security by ensuring that users cannot cycle back to previously used passwords that may have been exposed or compromised. This reduces the risk of brute force attacks, credential stuffing, and password guessing attempts.

Impact:

Benefits of Preventing Password Reuse:

  • Ensures users create new and unique passwords.
  • Reduces risk of compromised passwords being reused.
  • Enhances security compliance (CIS, SOC 2, HIPAA, PCI-DSS).

Potential Challenges:

  • Users may struggle to create new passwords if they frequently change them.
  • Password management tools may be required to track unique passwords.

Default Value:

  • AWS IAM password policies do not prevent password reuse by default.

  • Without a password history policy, users can reuse their previous passwords indefinitely.

Pre-Requisite:

AWS Account Access:

  • IAM user with Administrator privileges or IAM permissions to update password policies.

AWS CLI Installed (for automation purposes):

  • Ensure AWS CLI is configured with appropriate IAM permissions.

Organizational Approval:

  • Verify that IT/security teams agree to enforce password history restrictions.

Remediation:

Test Plan: Ensure that IAM password policies prevent reuse of the last 24 passwords.

Using AWS Console:

  1. Login to AWS Console with IAM permissions.

  2. Navigate to IAM Service: AWS IAM Console.

  3. Click on Account Settings in the left navigation panel.

                         

  1. Ensure "Prevent password reuse" is checked.                  

  2. Ensure "Number of passwords to remember" is set to 24.

                     

  1. If the setting is not configured correctly, proceed with remediation.

Using AWS CLI:

Run the following command to check the existing password policy:

 aws iam get-account-password-policy

Ensure the output contains:

 {

    "PasswordReusePrevention": 24

}
  1. If "PasswordReusePrevention" is less than 24, proceed with remediation.

Implementation Steps:

Using AWS Console:

  1. Login to AWS Console with IAM permissions.

  2. Navigate to IAM Service: AWS IAM Console.

  3. Click Account Settings in the left panel.

                         

  1. Check "Prevent password reuse".

                       

  1. Set "Number of passwords to remember" to 24.

                             

  1. Click Apply password policy to enforce the new settings.

                           

Using AWS CLI:

Run the following command to enforce a password reuse prevention policy:

aws iam update-account-password-policy --password-reuse-prevention 24

To further strengthen password security, combine it with other best practices:

aws iam update-account-password-policy \
    --minimum-password-length 14 \
    --require-uppercase-characters \
    --require-lowercase-characters \
    --require-numbers \
    --require-symbols \
    --password-reuse-prevention 24

This command ensures that IAM passwords:

  • Are at least 14 characters long.
  • Contain uppercase and lowercase letters.
  • Include numbers and special characters.
  • Prevent reuse of the last 24 passwords.

Backout Plan:

If enforcing password reuse prevention causes issues:

  • Temporarily reduce the history requirement using the following command:
aws iam update-account-password-policy --password-reuse-prevention 10
  • Disable the password history policy if required:
     aws iam delete-account-password-policy

  • Warning: Deleting the password policy will remove all password complexity requirements.

References:

CIS Controls Mapping:

CIS Control Version

Control ID

Control Description

CIS v8

5.2

Use unique passwords for all enterprise assets. Best practice implementation includes, at a minimum, an 8-character password for accounts using MFA and a 14-character password for accounts not using MFA.

CIS v7

4.4

Where multi-factor authentication is not supported (such as local administrator, root, or service accounts), accounts will use passwords that are unique to that system.