Ensure AWS Identity and Access Management (IAM) user passwords are reset before expiration (45 Days)
Enforce timely password resets for AWS IAM users, requiring them to change their passwords within 45 days of expiration. This security measure enhances AWS account protection by mitigating the risk of unauthorized access resulting from compromised passwords
Risk Level: Low
Cloud Entity: IAM User
CloudGuard Rule ID: D9.AWS.LOG.26
Covered by Spectral: No
Category: Security, Identity, & Compliance
GSL LOGIC
IamUser should have passwordNextRotation<=45
REMEDIATION
From Portal
- Navigate to your AWS Identity and Access Management (IAM) dashboard.
2.Within the navigation panel, select 'Credential Report'
3.Click the 'Download Report' option to access a comprehensive list of all your AWS account users along with the status of their various credentials.
4.Open the downloaded file
5.Examine the 'password_next_rotation' column value for each listed AWS IAM user.
6.Verify if the 'password_next_rotation' value indicates a timeframe of fewer than 45 days, ensuring
that password rotations are scheduled within the recommended security threshold.
From Command Line
To Retrieve the IAM Credential Report:
aws iam get-credential-report
To Decode and Save the Report as a CSV File:
echo -n 'YOUR_CONTENT'| base64 -d >> aws-iam-credentials-report.csv
To Set a Valid Password Policy:
aws iam update-account-password-policy --allow-users-to-change-password --max-password-age 30
References
- https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users.html
- https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html
IAM User
An IAM user is an entity that you create in AWS to represent the person or service that uses it to interact with AWS. A user in AWS consists of a name and credentials.
Compliance Frameworks
- CloudGuard AWS All Rules Ruleset
Updated over 1 year ago