Ensure AWS Identity and Access Management (IAM) user passwords are reset before expiration (30 Days)

Implement a security measure to enhance AWS account protection by enforcing timely password resets for AWS IAM users, requiring them to change their passwords within 30 days of expiration. This practice mitigates the risk of unauthorized access stemming from compromised passwords.

Risk Level: Low
Cloud Entity: IAM User
CloudGuard Rule ID: D9.AWS.LOG.25
Covered by Spectral: No
Category: Security, Identity, & Compliance


IamUser should have passwordNextRotation<=30


From Portal

  1. Navigate to your AWS Identity and Access Management (IAM) dashboard.
    2.Within the navigation panel, select 'Credential Report'
    3.Click the 'Download Report' option to access a comprehensive list of all your AWS account users along with the status of their various credentials.
    4.Open the downloaded file
    5.Examine the 'password_next_rotation column value for each listed AWS IAM user.
    6.Verify if the 'password_next_rotation' value indicates a timeframe of fewer than 30 days, ensuring
    that password rotations are scheduled within the recommended security threshold.

From Command Line

To Retrieve the IAM Credential Report:

aws iam get-credential-report

To Decode and Save the Report as a CSV File:

echo -n 'YOUR_CONTENT'| base64 -d >> aws-iam-credentials-report.csv

To Set a Valid Password Policy:

aws iam update-account-password-policy --allow-users-to-change-password --max-password-age 30


  1. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users.html
  2. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html

IAM User

An IAM user is an entity that you create in AWS to represent the person or service that uses it to interact with AWS. A user in AWS consists of a name and credentials.

Compliance Frameworks

  • CloudGuard AWS All Rules Ruleset