iCompaas Support

Profile Applicability:
Level 1

Description:
This control ensures that the AWS Identity and Access Management (IAM) password policy enforces password expiration within 90 days or less. Enforcing password rotation reduces the duration that compromised credentials remain valid and helps minimize potential unauthorized access.

Rationale:
Regularly expiring and rotating passwords limits the window of opportunity for an attacker to exploit stolen or weak credentials. A 90-day expiration policy ensures timely updates of user passwords while aligning with standard security frameworks such as CIS, SOC 2, ISO 27001, and NIST 800-53. This proactive measure helps maintain the confidentiality and integrity of AWS accounts and prevents long-term password reuse.

Impact:
Positive Impact: Enhances account security by minimizing the exposure time of compromised passwords and improving compliance posture.
Negative Impact: Users may experience minor inconvenience due to periodic password changes, especially without centralized password management tools.

Default Value:
By default, AWS does not enforce password expiration unless manually configured.

Pre-Requisite:

• IAM permissions required: iam:GetAccountPasswordPolicy, iam:UpdateAccountPasswordPolicy.
  
  

Test Plan 
Using AWS Console:

1. Sign in to the AWS Management Console using an account with administrative privileges.

2. Navigate to IAM → Account settings → Password policy.

3. Locate the option “Expire passwords in (days)”.

4. Verify that password expiration is enabled and set to 90 days or fewer.

5. If password expiration is disabled or exceeds 90 days, the account is non-compliant.

Implementation Plan 
Using AWS Console:

1. Navigate to IAM → Account settings → Password policy.

2. Click Edit password policy.

3. Enable the option “Enable password expiration”.

4. Set password expiration period to 90 days or less (e.g., 60 or 90).

5. (Optional but recommended) Enable additional settings such as:

   • Prevent password reuse (e.g., remember the last 24 passwords).

   • Require at least one uppercase, one lowercase, one number, and one symbol.

6. Click Save changes.
   
   

Backout Plan:

1. If password expiration causes operational issues (e.g., service account disruption), temporarily extend the expiration period up to 90 days or exclude service accounts by using IAM roles instead of user accounts.

2. Notify users of password changes ahead of enforcement to prevent lockouts.
   
   

References:

• AWS IAM Password Policy Documentation

• CIS AWS Foundations Benchmark v2.0.0 – Control 1.9

• NIST SP 800-53 Rev. 5 – IA-5(1): Password-based Authentication

• AWS Security Best Practices Whitepaper