Profile Applicability:
 • Level 2

Description:

A secure password policy ensures that users follow best practices when creating passwords for their IAM accounts. AWS allows administrators to define password policies to enforce rules such as password length, complexity, and expiration. Implementing a secure password policy reduces the risk of unauthorized access by ensuring that passwords are strong and regularly updated.

Rationale:

A strong password policy is critical for securing AWS accounts and preventing unauthorized access. By enforcing a policy with requirements for password complexity (length, characters, expiration), AWS helps mitigate the risk of brute force attacks, password guessing, and other forms of unauthorized access. This helps organizations comply with security standards and regulations such as NIST, ISO 27001, and SOC 2.

Impact:

Pros:

  • Enhances security by enforcing strong password practices

  • Helps mitigate the risk of password-related attacks (e.g., brute force, credential stuffing)

  • Ensures compliance with regulatory and industry standards

  • Allows for periodic password changes, reducing the chances of long-term exposure if credentials are compromised

Cons:

  • Can lead to user frustration if the policy is overly strict (e.g., too frequent password changes, complex requirements)

  • Requires regular monitoring and updates to ensure the policy remains effective against evolving security threats

  • Increased administrative overhead for managing and enforcing the policy

Default Value:

By default, AWS does not enforce a password policy. You must manually configure the policy for your IAM users.

Pre-requisites:

  • IAM permissions to manage password policies

  • Understanding of organizational requirements for password strength, expiration, and history

  • Familiarity with compliance requirements (e.g., ISO 27001, NIST, SOC 2) related to password policies

Remediation:

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console

  2. Navigate to IAM > Account Settings

  3. Review the current password policy settings, including:

    • Password length (minimum and maximum)

    • Password complexity (requirements for uppercase, lowercase, numbers, and special characters)

    • Password expiration settings

    • Password history (prevents reuse of old passwords)

  4. Ensure that the policy meets the organization's security standards

  5. Test the policy by attempting to create a new IAM user with a weak password to ensure that the policy is being enforced

Using AWS CLI:

View the current password policy settings:

aws iam get-account-password-policy

  1. Review the policy attributes, including the minimum length, complexity, expiration, and history settings.

Implementation Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console

  2. Navigate to IAM > Account Settings

  3. Under Password Policy, click Edit

  4. Set the password policy according to the organization's security standards:

    • Minimum password length: Typically at least 8 characters, but organizations may require longer passwords

    • Require at least one uppercase letter, one lowercase letter, one number, and one special character

    • Enable password expiration (e.g., every 90 days)

    • Prevent password reuse by specifying how many previous passwords cannot be reused

  5. Save the changes to apply the password policy

Using AWS CLI:

Create or modify the IAM password policy with the following command:

aws iam update-account-password-policy \
  --minimum-password-length 12 \
  --require-symbols \
  --require-numbers \
  --require-uppercase-characters \
  --require-lowercase-characters \
  --max-password-age 90 \
  --password-reuse-prevention 5

  1.  This example enforces a minimum password length of 12 characters, requires symbols, numbers, and both uppercase and lowercase letters, enforces password expiration every 90 days, and prevents the reuse of the last 5 passwords.

Backout Plan:

Using AWS Console:

  1. Navigate to IAM > Account Settings

  2. Click Edit under Password Policy

  3. Reset the password policy to the previous settings or disable specific rules if necessary (e.g., remove password expiration or complexity requirements)

  4. Save the changes

Using AWS CLI:

To revert to the default policy or a simpler policy, use the following command:

aws iam update-account-password-policy --no-require-symbols --no-require-numbers --no-require-uppercase-characters --no-require-lowercase-characters --max-password-age 0 --password-reuse-prevention 0

  1. This will remove the complexity requirements and set the password expiration to 0 (no expiration), effectively disabling password aging.

References: