Profile Applicability

  • Level 1

Description:

IAM password policies control the strength of passwords used by IAM users in an AWS environment. Requiring a minimum password length of 14 characters or more helps ensure that passwords are more resistant to brute-force and dictionary attacks.

By enforcing a password policy with a minimum length of 14 or greater, organizations can enhance their security posture by making it more difficult for attackers to guess or crack passwords.

Rationale:

Requiring strong, complex passwords is a basic but effective security control. Passwords with a length of at least 14 characters are more secure and harder for attackers to crack using common attack techniques, such as:

  • Brute-force attacks: Trying all possible combinations of characters

  • Dictionary attacks: Using common words or phrases

  • Credential stuffing: Reusing breached password data

By enforcing a minimum password length of 14 characters, organizations can mitigate these risks and ensure that IAM users are following a stronger password policy.

Impact:

If the IAM password policy does not require a minimum length of 14 characters:

  • Passwords may be easier to guess, increasing the risk of unauthorized access.

  • Brute-force or dictionary attacks are more likely to succeed on weak passwords.

Enforcing a 14-character minimum password length makes it harder for attackers to compromise accounts, improving overall security.

Default Value:

By default, AWS does not enforce a minimum password length unless specifically configured. The default IAM password policy may have a minimum length of 6 characters, which is considered insufficient for strong security.

Pre-Requisites:

  • AWS CLI installed and configured

  • IAM permissions to view and update IAM password policies

  • Access to the AWS Management Console or CLI to update the password policy

Remediation:

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to IAM and select Account settings.

  3. Review the Password Policy settings.

    • Ensure the Minimum password length is set to 14 or greater.

  4. If necessary, update the password policy to enforce the desired length.

Using AWS CLI :

aws iam get-account-password-policy --query 'PasswordPolicy.MinimumPasswordLength' --output text

This command will return the current minimum password length. Ensure that the result is 14 or greater.

Implementation Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Go to IAM > Account settings > Password policy.

  3. Click Edit and set the Minimum password length to 14 or greater.

  4. Optionally, enable other password policy settings such as:

    • Require at least one uppercase letter

    • Require at least one number

    • Require at least one special character

  5. Click Apply to save the changes.

Using AWS CLI :

aws iam update-account-password-policy --minimum-password-length 14

This command ensures that all IAM users are required to use passwords with a minimum length of 14 characters.

Backout Plan:

Using AWS Console:

  1. If the new password policy causes user login issues:

    • Sign in to the IAM Console.

    • Go to Account settings > Password policy.

    • Temporarily lower the Minimum password length to a smaller value (e.g., 8 or 10) to troubleshoot any issues.

    • Reapply the 14-character minimum once user issues are resolved.

Using AWS CLI:

  1. To temporarily revert the password policy if login issues arise:

aws iam update-account-password-policy --minimum-password-length 8

  1. Once the issue is resolved, revert the policy back to a minimum password length of 14:

aws iam update-account-password-policy --minimum-password-length 14

References:

CIS Controls Mapping:

CIS Control Version

Control ID

Control Description

CIS v8

4.5

Implement Strong Authentication for All Users

CIS v8

4.6

Secure Authentication Methods for Cloud Accounts

CIS v7

4.3

Enforce Strong Passwords and Access Control Policies