Ensure AWS Identity and Access Management (IAM) user passwords are reset before expiration (45 Days)

Enforce timely password resets for AWS IAM users, requiring them to change their passwords within 45 days of expiration. This security measure enhances AWS account protection by mitigating the risk of unauthorized access resulting from compromised passwords

Risk Level: Low
Cloud Entity: IAM User
CloudGuard Rule ID: D9.AWS.LOG.26
Covered by Spectral: No
Category: Security, Identity, & Compliance


IamUser should have passwordNextRotation<=45


From Portal

  1. Navigate to your AWS Identity and Access Management (IAM) dashboard.
    2.Within the navigation panel, select 'Credential Report'
    3.Click the 'Download Report' option to access a comprehensive list of all your AWS account users along with the status of their various credentials.
    4.Open the downloaded file
    5.Examine the 'password_next_rotation' column value for each listed AWS IAM user.
    6.Verify if the 'password_next_rotation' value indicates a timeframe of fewer than 45 days, ensuring
    that password rotations are scheduled within the recommended security threshold.

From Command Line

To Retrieve the IAM Credential Report:

aws iam get-credential-report

To Decode and Save the Report as a CSV File:

echo -n 'YOUR_CONTENT'| base64 -d >> aws-iam-credentials-report.csv

To Set a Valid Password Policy:

aws iam update-account-password-policy --allow-users-to-change-password --max-password-age 30


  1. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users.html
  2. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html

IAM User

An IAM user is an entity that you create in AWS to represent the person or service that uses it to interact with AWS. A user in AWS consists of a name and credentials.

Compliance Frameworks

  • CloudGuard AWS All Rules Ruleset