Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

IAM User Password Expiry 7 Days

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: IAM-039

Identify the age of your Amazon IAM user passwords and ensure that these credentials are reset before their validity period ends in order to prevent password expiry.

This rule can help you with the following compliance standards:

  • PCI
  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

Monitoring the age of your IAM user credentials can help you prevent password expiry for less frequent logins and manage the user-based access to your account more efficiently.

Audit

To determine the age of your Amazon IAM user passwords, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, choose Credential report.

04 On the Credential report page, click Download Report to download the AWS IAM report that lists all your account's users and the status of their various credentials.

05 Open the downloaded file (i.e. status_reports_<download_date>.csv) in your preferred CSV file editor and check the value available within the password_next_rotation column for each listed AWS IAM user. The password_next_rotation attribute describes the date and time when the IAM user is required to set a new password according to the password policy used by the account. The value for the AWS account (root user) is always set to not_supported. If your AWS account does have a password policy that requires password rotation, ensure that the IAM user passwords are changed according to the current password policy and skip the next steps within this section. If your AWS account does not have a password policy implemented yet, the password_next_rotation attribute value is set to N/A and you need to continue the audit process to get the IAM credentials age.

06 Within the credential report file (i.e. status_reports_<download_date>.csv), check the value available in the password_last_changed attribute column for each AWS IAM user. The password_last_changed attribute describes the date and time when an IAM user password was last set in ISO 8601 date-time format. If an existing IAM user does not have a password, the value for this attribute should be is N/A. Also, the value for the AWS account (root) is always set to not_supported.

07 Based on the data available for the password_last_changed attribute, determine the age of your IAM user passwords. If the validity period for one or more AWS IAM user passwords is about to end soon, follow the steps outlined within Remediation/Resolution section to reset these credentials in order to follow best practices and prevent their expiration.

Using AWS CLI

01 Run get-credential-report command (OSX/Linux/UNIX) to obtain the IAM credential report for your AWS account. A credential report is a CSV document that lists all users (root and IAM users) currently available in your AWS account and the current status of their credentials: 

aws iam get-credential-report

02 The command output should return the document in a TEXT/CSV format, encoded with the Base64 encoding scheme, e.g.: 

{
    "Content": "cmy5cixhcm4sdXNlcl9jcmVd ... bHNlLE4vQSxmYWxzZSxDBG3=",
    "GeneratedTime": "2017-09-20T10:15:03Z",
    "ReportFormat": "text/csv"
}

03 Decode the IAM credential report content from the command line (OSX/Linux/UNIX) using the Base64 string returned at the previous step as the input data. In the following example, the report is decoded and saved to a file named aws-iam-credentials-report.csv: 

echo -n cmy5cixhcm4sdXNlcl9jcmVd ... bHNlLE4vQSxmYWxzZSxDBG3= | base64 –d >> aws-iam-credentials-report.csv

04 Open aws-iam-credentials-report.csv in your favorite file editor and check the value available in the password_next_rotation column for each listed AWS IAM user. The password_next_rotation attribute describes the date and time when the IAM user is required to set a new password according to the implemented password policy. The value for the AWS account (root user) is always set to not_supported. If your AWS account does have a password policy that requires password rotation, ensure that the IAM user passwords are changed according to the current password policy and skip the next steps within the audit section. If your AWS account does not have a password policy implemented yet, the password_next_rotation attribute value is set to N/A and you need to continue the audit process to get the IAM user passwords age.

05 Within aws-iam-credentials-report.csv file, check the value available in the password_last_changed column for each existing AWS IAM user. The password_last_changed attribute describes the date and time when an IAM user password was last set. If an existing IAM user does not have a password, the value for this attribute should be is N/A. Also, the value for the AWS account (root user) is always set to not_supported.

06 Based on the data available for the password_last_changed attribute, determine the age of your IAM user passwords. If the validity period for one or more AWS IAM user passwords is about to end soon, follow the Remediation/Resolution section instructions to reset these credentials to prevent their expiration and adhere to IAM security best practices.

Remediation / Resolution

To reset any Amazon IAM user passwords that are about to expire soon, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, choose Users.

04 Click on the name of the IAM user that you want to update (see Audit section part I to identify the right IAM resource).

05 Under Summary, select Security credentials tab to access the user credentials configuration.

06 Inside Sign-In credentials section, click Manage password next to Console password to access the user password management panel.

07 On the Manage console access panel, check Require password reset checkbox to enforce the selected IAM user to create a new password at the next sign in.

08 Sign in again to the AWS Management Console using existing AWS IAM user credentials.

09 Once logged in, you will be redirected to a dedicated page where you can reset your IAM user password. Provide the old (existing) password and the new password then click Confirm password change to reset your user password.

10 Repeat steps no. 4 – 9 to reset the password for other IAM users available in your AWS account.

Using AWS CLI

01 Run update-login-profile command (OSX/Linux/UNIX) to change the password for the selected AWS IAM user (see Audit section part II to identify the right IAM user). The following command example changes the existing login profile (password) for an IAM user named Daniel (replace the highlighted parameter value with your own value). If the command succeeds, no output is returned: 

aws iam update-login-profile
	--user-name Daniel
	--password <my_password>

02 Repeat step no. 1 to reset the password for other IAM users available within your AWS account.

References

Publication date Sep 22, 2017

Related IAM rules