Ensure AWS Identity and Access Management (IAM) user passwords are reset before expiration (30 Days)
Implement a security measure to enhance AWS account protection by enforcing timely password resets for AWS IAM users, requiring them to change their passwords within 30 days of expiration. This practice mitigates the risk of unauthorized access stemming from compromised passwords.
Risk Level: Low
Cloud Entity: IAM User
CloudGuard Rule ID: D9.AWS.LOG.25
Covered by Spectral: No
Category: Security, Identity, & Compliance
GSL LOGIC
IamUser should have passwordNextRotation<=30
REMEDIATION
From Portal
- Navigate to your AWS Identity and Access Management (IAM) dashboard.
2.Within the navigation panel, select 'Credential Report'
3.Click the 'Download Report' option to access a comprehensive list of all your AWS account users along with the status of their various credentials.
4.Open the downloaded file
5.Examine the 'password_next_rotation column value for each listed AWS IAM user.
6.Verify if the 'password_next_rotation' value indicates a timeframe of fewer than 30 days, ensuring
that password rotations are scheduled within the recommended security threshold.
From Command Line
To Retrieve the IAM Credential Report:
aws iam get-credential-report
To Decode and Save the Report as a CSV File:
echo -n 'YOUR_CONTENT'| base64 -d >> aws-iam-credentials-report.csv
To Set a Valid Password Policy:
aws iam update-account-password-policy --allow-users-to-change-password --max-password-age 30
References
- https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users.html
- https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html
IAM User
An IAM user is an entity that you create in AWS to represent the person or service that uses it to interact with AWS. A user in AWS consists of a name and credentials.
Compliance Frameworks
- CloudGuard AWS All Rules Ruleset
Updated over 1 year ago