iCompaas Support

Profile Applicability

• Level 1

Description:

Preventing password reuse ensures that IAM users cannot reuse previous passwords when changing their password. This helps improve security by enforcing users to choose unique passwords each time they reset or change their passwords, reducing the risk of old, compromised passwords being reused.

By enforcing password history policies that prevent password reuse, organizations can ensure that passwords remain unique and harder for attackers to guess or obtain through credential stuffing or other methods.

Rationale:

Reusing old passwords increases the likelihood of an attacker gaining access to an account if they compromise an old password. For example:

• If an attacker compromises a password and the user later reuses it, the attacker can regain access to the account.

• Reusing passwords across different systems and services leads to a higher risk of compromise through attacks like credential stuffing.

Preventing password reuse strengthens an organization’s password policy by ensuring that each password change requires a completely new password, thus enhancing account security.

Impact:

Failure to enforce password history and prevent password reuse can lead to:

• Reuse of compromised or weak passwords.
  

• Increased risk of credential-based attacks, such as brute-force or credential stuffing attacks.

• Difficulty in tracking and enforcing password strength over time.

By enforcing non-reuse of passwords, organizations can significantly reduce the risk of unauthorized access due to reused passwords.

Default Value:

By default, AWS does not enforce password history or prevent password reuse unless configured. The password policy must be explicitly set to prevent the reuse of previous passwords.

Pre-Requisites:

• AWS CLI installed and configured

• IAM permissions to view and update IAM password policies

• Access to the AWS Management Console or CLI to update the password policy
  

Remediation:

Test Plan:

Using AWS Console:

1. Sign in to the AWS Management Console.

2. Navigate to IAM > Account settings.

3. Review the Password Policy settings.

   • Ensure that Password history is enabled and set to prevent the reuse of a defined number of previous passwords (e.g., 5 or more).

4. If necessary, update the password policy to enforce the prevention of password reuse.

Using AWS CLI:

aws iam get-account-password-policy --query 'PasswordPolicy.PasswordReusePrevention' --output text

This command will return the number of passwords that cannot be reused. Ensure that the output is set to the desired number (e.g., 5 or more).

Implementation Plan:

Using AWS Console:

1. Sign in to the AWS Management Console.

2. Go to IAM > Account settings > Password policy.

3. Click Edit and enable the Password history option.

   • Set the Password reuse prevention to the desired number of previous passwords (e.g., 5 or more).

4. Optionally, enforce other password requirements such as a minimum length, complexity requirements, and expiration settings.

5. Click Apply to save the changes.

Using AWS CLI:

aws iam update-account-password-policy --password-reuse-prevention 5

Backout Plan:

Using AWS Console:

1. If password policy changes cause user issues:

   • Sign in to the IAM Console and go to Account settings > Password policy.

   • Temporarily reduce the Password reuse prevention setting to a lower value (e.g., 1 or 2) to troubleshoot any issues.

   • Reapply the original setting (e.g., 5 or more) once the issue is resolved.
     

Using AWS CLI:

1. To temporarily revert the password policy:

aws iam update-account-password-policy --password-reuse-prevention 1

2. Once the issue is resolved, revert the policy back to prevent the reuse of previous passwords:

aws iam update-account-password-policy --password-reuse-prevention 5

References:

• AWS IAM Password Policy Documentation
  

• AWS CLI: update-account-password-policy
  

• AWS IAM Documentation
  

CIS Controls Mapping: