Enforce Password Policy

Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets, have minimal length, rotation and history restrictions.

Risk Level: High
Cloud Entity: AWS Identity and Access Management (IAM)
CloudGuard Rule ID: D9.AWS.PRE.02
Covered by Spectral: No
Category: Security, Identity, & Compliance

GSL LOGIC

Iam should have passwordPolicy.enabledInAccount=true

REMEDIATION

From Portal

  1. Sign in to the AWS console
  2. In the console, select the specific region
  3. Navigate to the 'Identity and Access Management (IAM)' service.
  4. In the left pane click on 'Account settings'.
  5. Click on change password policy and select your account password policy requirements.
  6. Select the options that you want to apply to your password policy and choose Save changes.

From TF

resource "aws_iam_account_password_policy" "Example" {
	minimum_password_length        = "value"
	max_password_age               = "value"
	password_reuse_prevention	 = "value"
	hard_expiry			 = "true/false"
	require_lowercase_characters   = "true/false"
	require_numbers                = "true/false"
	require_uppercase_characters   = "true/false"
	require_symbols                = "true/false"
	allow_users_to_change_password = "true/false"
}

From Command Line
In order to enforce password policy, use to following CLI command:

aws iam update-account-password-policy [--minimum-password-length PUT_VALUE ] [--require-symbols | --no-require-symbols] [--require-numbers | --no-require-numbers] [--require-uppercase-characters | --no-require-uppercase-characters] [--require-lowercase-characters | --no-require-lowercase-characters] [--allow-users-to-change-password | --no-allow-users-to-change-password] [--max-password-age PUT_VALUE] [--password-reuse-prevention PUT_VALUE] [--hard-expiry | --no-hard-expiry]

References

  1. http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html
  2. https://registry.terraform.io/modules/rhythmictech/password-policy/iam/latest
  3. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_account_password_policy
  4. https://docs.aws.amazon.com/cli/latest/reference/iam/update-account-password-policy.html

AWS Identity and Access Management (IAM)

AWS Identity and Access Management (IAM) enables you to manage access to AWS services and resources securely. Using IAM, you can create and manage AWS users and groups, and use permissions to allow and deny their access to AWS resources.
IAM is a feature of your AWS account offered at no additional charge. You will be charged only for use of other AWS services by your users.

Compliance Frameworks

  • AWS CIS Foundations v. 1.1.0
  • AWS CIS Foundations v. 1.2.0
  • AWS CloudGuard Best Practices
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS CloudGuard Well Architected Framework
  • AWS HIPAA
  • AWS HITRUST
  • AWS HITRUST v11.0.0
  • AWS ISO 27001:2013
  • AWS ITSG-33
  • AWS MAS TRM Framework
  • AWS MITRE ATT&CK Framework v10
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-171
  • AWS NIST 800-53 Rev 4
  • AWS NIST 800-53 Rev 5
  • AWS NIST CSF v1.1
  • AWS PCI-DSS 3.2
  • AWS PCI-DSS 4.0