Profile Applicability:
Level 1

Description:
This control ensures that the AWS Identity and Access Management (IAM) password policy prevents users from reusing their previously used passwords. Specifically, the policy should be configured to remember at least the last 24 passwords. Enforcing a password reuse limit reduces the likelihood of users cycling through a small set of known passwords, thereby strengthening the overall security posture.

Rationale:
Password reuse is a common security weakness that allows attackers to exploit previously compromised credentials. By restricting users from reusing their old passwords, organizations enforce better password hygiene and reduce the risk of credential-based attacks. This practice aligns with security best practices and compliance standards such as CIS, ISO 27001, SOC 2, and NIST SP 800-53, ensuring consistent protection of IAM user credentials.

Impact:
Positive Impact: Improves credential security by ensuring that previously compromised or weak passwords cannot be reused, reducing the likelihood of successful brute-force or replay attacks.
Negative Impact: May cause minor inconvenience to users when creating new passwords, especially in large environments with frequent password updates.

Default Value:
By default, AWS does not enforce any password reuse prevention policy. It must be manually configured in the IAM password policy settings.

Pre-Requisite:

  • IAM permissions required: iam:GetAccountPasswordPolicy, iam:UpdateAccountPasswordPolicy.

Test Plan 
Using AWS Console:

  1. Sign in to the AWS Management Console with administrative privileges.

  2. Navigate to IAM → Account settings → Password policy.

  3. Check whether the option “Prevent password reuse” is enabled.

  4. Verify that the number of remembered passwords is set to 24 or greater.

  5. If this setting is disabled or set to fewer than 24 passwords, the account is non-compliant.

Implementation Plan 
Using AWS Console:

  1. Navigate to IAM → Account settings → Password policy.

  2. Click Edit password policy.

  3. Enable the checkbox “Prevent password reuse.”

  4. In the text box, specify the number of previous passwords to remember (set to 24 or greater).

  5. (Optional) Review and enable additional best practices such as password expiration and minimum length requirements.

  6. Click Save changes to apply the new policy.

Backout Plan:

  1. If users experience login difficulties after enabling this setting, temporarily reduce the password history count to a lower value while maintaining compliance.

  2. Communicate policy updates to users and provide password management guidance to minimize disruptions.

References: