Ensure that password reset is required in IAM login profile

Usually new users are created with temporary passwords. These passwords may not be very secured. That's why newly created users should reset their passwords on the first login.

Risk Level: Low
Cloud Entity: IAM User
CloudGuard Rule ID: D9.CFT.IAM.21
Covered by Spectral: Yes
Category: Security, Identity, & Compliance

GSL LOGIC

AWS_IAM_User should have LoginProfile.PasswordResetRequired='true'

REMEDIATION

From CFT
Set AWS::IAM::User LoginProfile.PasswordResetRequired to 'true'

References

  1. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/create-login-profile.html
  2. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-user-loginprofile.html#cfn-iam-user-loginprofile-passwordresetrequired

IAM User

An IAM user is an entity that you create in AWS to represent the person or service that uses it to interact with AWS. A user in AWS consists of a name and credentials.

Compliance Frameworks

  • AWS CloudFormation ruleset