IAM Password Policy

Risk Level: Medium (not acceptable risk)

Rule ID: IAM-005, IAM-006, IAM-007, IAM-008, IAM-009, IAM-010, IAM-011, IAM-012

Ensure that your Amazon IAM users are using a strong password policy to define password requirements such as minimum length, expiration date, whether it requires a certain pattern, and so forth.

This rule can help you with the following compliance standards:

CISAWSF
PCI
APRA
MAS
NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

Enforcing Amazon IAM passwords strength, pattern, and rotation is vital when it comes to maintaining the security of your AWS cloud account. Having a strong password policy in use will significantly reduce the risk of password-guessing methods and brute-force attacks.

Audit

Case A (Severity: High): To determine if your AWS cloud account has a custom password policy in use, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon IAM console at https://console.aws.amazon.com/iam/.

03 In the navigation panel, under Access management, select Account settings.

04 In the Password policy section, search for the Delete and Change buttons to determine if your AWS account is configured with a custom IAM password policy. If the Delete and Change buttons are not available in the Password policy section, your AWS cloud account is not configured with a custom IAM password policy, therefore your AWS cloud resources are not fully protected against unauthorized access.

Using AWS CLI

01 Run get-account-password-policy command (OSX/Linux/UNIX) to describe the custom IAM password policy configured for your AWS cloud account:

aws iam get-account-password-policy

02 The command output should return the custom IAM password policy configured for the AWS account, otherwise it should return a NoSuchEntity error:

An error occurred (NoSuchEntity) when calling the GetAccountPasswordPolicy operation: The Password Policy with domain name 123456789012 cannot be found.

If the get-account-password-policy command output returns the NoSuchEntity error, as shown in the output example above, your AWS cloud account is not configured with a custom IAM password policy, therefore your AWS cloud resources are not fully protected against unauthorized access.

Case B (Severity: Medium): To determine if your custom IAM password policy enforces a minimum password length of 14 characters, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon IAM console at https://console.aws.amazon.com/iam/.

03 In the navigation panel, under Access management, select Account settings.

04 In the Password policy section, check the Minimum password length is <password-length> characters requirement to determine the password length configured for your custom password policy. If the <password-length> is less than 14, the custom IAM password policy configured for your AWS cloud account is not compliant.

Using AWS CLI

01 Run get-account-password-policy command (OSX/Linux/UNIX) to describe the minimum password length (number of characters) configured for your custom Amazon IAM password policy:

aws iam get-account-password-policy
  --query 'PasswordPolicy.MinimumPasswordLength'

02 The command output should return the requested configuration information:

If the get-account-password-policy command output returns a number that is less than 14, as shown in the output example above, the custom IAM password policy configured for your AWS cloud account is not compliant.

Case C (Severity: Medium): To determine if your IAM password policy enforces at least one lowercase letter for the IAM user passwords, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon IAM console at https://console.aws.amazon.com/iam/.

03 In the navigation panel, under Access management, select Account settings.

04 In the Password policy section, check for the Require at least one lowercase letter from Latin alphabet (a-z) requirement to determine if the password policy enforces at least one lowercase letter for IAM user passwords. If the necessary requirement is not listed in the Password policy section, the custom IAM password policy configured for your AWS cloud account is not compliant.

Using AWS CLI

01 Run get-account-password-policy command (OSX/Linux/UNIX) to determine if your custom Amazon IAM password policy is configured to require at least one lowercase letter for IAM user passwords:

aws iam get-account-password-policy
  --query 'PasswordPolicy.RequireLowercaseCharacters'

02 The command output should return the requested configuration information:

false

If the get-account-password-policy command output returns false, as shown in the output example above, the custom IAM password policy configured for your AWS cloud account is not compliant.

Case D (Severity: Medium): To determine if your IAM password policy enforces at least one uppercase letter for the IAM user passwords, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon IAM console at https://console.aws.amazon.com/iam/.

03 In the navigation panel, under Access management, select Account settings.

04 In the Password policy section, check for the Require at least one uppercase letter from Latin alphabet (A-Z) requirement to determine if the password policy enforces at least one uppercase letter for IAM user passwords. If the necessary requirement is not listed in the Password policy section, the custom IAM password policy configured for your AWS cloud account is not compliant.

Using AWS CLI

01 Run get-account-password-policy command (OSX/Linux/UNIX) to determine if your custom Amazon IAM password policy is configured to require at least one uppercase letter for IAM user passwords:

aws iam get-account-password-policy
  --query 'PasswordPolicy.RequireUppercaseCharacters'

02 The command output should return the requested configuration information:

false

If the get-account-password-policy command output returns false, as shown in the output example above, the custom IAM password policy configured for your AWS cloud account is not compliant.

Case E (Severity: Medium): To determine if your IAM password policy enforces at least one number for the IAM user passwords, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon IAM console at https://console.aws.amazon.com/iam/.

03 In the navigation panel, under Access management, select Account settings.

04 In the Password policy section, check for the Require at least one number requirement to determine if the password policy enforces at least one number for the IAM user passwords. If the necessary requirement is not listed in the Password policy section, the custom IAM password policy configured for your AWS cloud account is not compliant.

Using AWS CLI

01 Run get-account-password-policy command (OSX/Linux/UNIX) to determine if your custom Amazon IAM password policy is configured to require at least one number for the IAM user passwords:

aws iam get-account-password-policy
  --query 'PasswordPolicy.RequireNumbers'

02 The command output should return the requested configuration information:

false

If the get-account-password-policy command output returns false, as shown in the output example above, the custom IAM password policy configured for your AWS cloud account is not compliant.

Case F (Severity: Medium): To determine if your IAM password policy enforces at least one non-alphanumeric character for the IAM user passwords, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon IAM console at https://console.aws.amazon.com/iam/.

03 In the navigation panel, under Access management, select Account settings.

04 In the Password policy section, check for the Require at least one non-alphanumeric character (! @ # $ % ^ & * ( ) _ + - = [ ] { } | ') requirement to determine if the password policy enforces at least one non-alphanumeric character for IAM user passwords. If the necessary requirement is not listed in the Password policy section, the custom IAM password policy configured for your AWS cloud account is not compliant.

Using AWS CLI

01 Run get-account-password-policy command (OSX/Linux/UNIX) to determine if your custom Amazon IAM password policy is configured to require at least one non-alphanumeric character for IAM user passwords:

aws iam get-account-password-policy
  --query 'PasswordPolicy.RequireSymbols'

02 The command output should return the requested configuration information:

false

If the get-account-password-policy command output returns false, as shown in the output example above, the custom IAM password policy configured for your AWS cloud account is not compliant.

Case G (Severity: Medium): To determine if your IAM password policy enforces password expiration with a defined threshold of 90 days or less, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon IAM console at https://console.aws.amazon.com/iam/.

03 In the navigation panel, under Access management, select Account settings.

04 In the Password policy section, check the Password expires in <number-of-days> day(s) requirement to determine the password expiration date (in days) configured for your custom password policy. If the <number-of-days> is less than 90, the custom IAM password policy configured for your AWS cloud account is not compliant.

Using AWS CLI

01 Run get-account-password-policy command (OSX/Linux/UNIX) to describe the maximum password age configured for your custom Amazon IAM password policy:

aws iam get-account-password-policy
  --query 'PasswordPolicy.MaxPasswordAge'

02 The command output should return the requested configuration information:

If the get-account-password-policy command output returns null, your custom password policy does not enforce a password expiration requirement. If the command output returns a number that is greater than 90, as shown in the output example above, the custom IAM password policy configured for your AWS cloud account is not compliant.

Case H (Severity: Medium): To determine if your IAM password policy enforces prevention of reusing passwords, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon IAM console at https://console.aws.amazon.com/iam/.

03 In the navigation panel, under Access management, select Account settings.

04 In the Password policy section, check for the Remember last <password-number> password(s) and prevent reuse requirement to determine if the password policy enforces the prevention of reusing IAM user passwords. If the necessary requirement is not listed in the Password policy section, the custom IAM password policy configured for your AWS cloud account is not compliant.

Using AWS CLI

01 Run get-account-password-policy command (OSX/Linux/UNIX) to determine if your custom Amazon IAM password policy is configured to enforce the prevention of reusing IAM user passwords:

aws iam get-account-password-policy
  --query 'PasswordPolicy.PasswordReusePrevention'

02 The command output should return the requested configuration information:

null

If the get-account-password-policy command output returns null, as shown in the output example above, the custom IAM password policy configured for your AWS cloud account is not compliant.

Remediation / Resolution

Case A: To enable and configure a custom IAM password policy for your AWS cloud account, perform the following actions:

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 4.0"
		}
	}
	required_version = ">= 0.14.9"
}

provider "aws" {
	profile = "default"
	region  = "us-east-1"
}

# Custom IAM Password Policy 
resource "aws_iam_account_password_policy" "iam-password-policy" {
	minimum_password_length        = 14
	require_uppercase_characters   = true
	require_lowercase_characters   = true
	require_numbers                = true
	require_symbols                = true
	expire_passwords               = true
	hard_expiry                    = true
	password_reuse_prevention      = 5
	max_password_age               = 90
}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon IAM console at https://console.aws.amazon.com/iam/.

03 In the navigation panel, under Access management, select Account settings.

04 In the Password policy section, choose Change password policy and perform the following actions:

For Enforce minimum password length, enter a minimum value of 14 (characters) to force the IAM users to change their password length in order to secure the user access to your AWS cloud account.
Select the Require at least one uppercase letter from Latin alphabet (A-Z) checkbox to force the IAM users to include at least one uppercase letter in their password pattern.
Select the Require at least one lowercase letter from Latin alphabet (a-z) checkbox to force the IAM users to include at least one lowercase letter when they set the password.
Select the Require at least one number checkbox to force the IAM users to include at least one number in their password pattern.
Select the Require at least one non-alphanumeric character (! @ # $ % ^ & * ( ) _ + - = [ ] { } | ') checkbox to force the users to include at least one non-alphanumeric character in their password pattern.
Select the Enable password expiration checkbox and enter a value equal or less than 90 in the Expire passwords in <number-of-days> day(s) box to force the IAM users to use an expiration date for their passwords.
Select the Prevent password reuse checkbox and enter a value between 1 and 24 in the Remember <number-of-passwords> password(s) box to prevent the IAM user password reuse.
Choose Save changes to apply the changes.

Using AWS CLI

01 Run update-account-password-policy command (OSX/Linux/UNIX) to enable a compliant and custom IAM password policy for your AWS cloud account (the command does not produce an output):

aws iam update-account-password-policy
  --minimum-password-length 14
  --require-uppercase-characters
  --require-lowercase-characters
  --require-numbers
  --require-symbols
  --max-password-age 90
  --password-reuse-prevention 5

Case B: To enforce a minimum length of 14 characters for your IAM user passwords, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon IAM console at https://console.aws.amazon.com/iam/.

03 In the navigation panel, under Access management, select Account settings.

04 In the Password policy section, choose Change password policy, and enter a minimum value of 14 (characters) in the Enforce minimum password length box, to force IAM users to change their password length to minimum 14 characters in order to secure the user access to your AWS cloud account. Choose Save changes to apply the changes.

Using AWS CLI

01 Run update-account-password-policy command (OSX/Linux/UNIX) to force IAM users to change their password length to minimum 14 characters in order to secure the user access to your AWS account (the command does not produce an output):

aws iam update-account-password-policy
  --minimum-password-length 14

Case C: To enforce at least one uppercase letter for your IAM user passwords, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon IAM console at https://console.aws.amazon.com/iam/.

03 In the navigation panel, under Access management, select Account settings.

04 In the Password policy section, choose Change password policy, and select the Require at least one uppercase letter from Latin alphabet (A-Z) checkbox to force the IAM users to include at least one uppercase letter in their password pattern. Choose Save changes to apply the changes.

Using AWS CLI

01 Run update-account-password-policy command (OSX/Linux/UNIX) to force the IAM users to include at least one uppercase letter in their password pattern (the command does not produce an output):

aws iam update-account-password-policy
  --require-uppercase-characters

Case D: To enforce at least one lowercase letter for your IAM user passwords, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon IAM console at https://console.aws.amazon.com/iam/.

03 In the navigation panel, under Access management, select Account settings.

04 In the Password policy section, choose Change password policy, and select the Require at least one lowercase letter from Latin alphabet (a-z) checkbox to force the IAM users to include at least one lowercase letter in their password pattern. Choose Save changes to apply the changes.

Using AWS CLI

01 Run update-account-password-policy command (OSX/Linux/UNIX) to force the IAM users to include at least one lowercase letter in their password pattern (the command does not produce an output):

aws iam update-account-password-policy
  --require-lowercase-characters

Case E: To enforce at least one number for your IAM user passwords, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon IAM console at https://console.aws.amazon.com/iam/.

03 In the navigation panel, under Access management, select Account settings.

04 In the Password policy section, choose Change password policy, and select the Require at least one number checkbox to force the IAM users to include at least one number in their password pattern. Choose Save changes to apply the changes.

Using AWS CLI

01 Run update-account-password-policy command (OSX/Linux/UNIX) to force the IAM users to include at least one number in their password pattern (the command does not produce an output):

aws iam update-account-password-policy
  --require-numbers

Case F: To enforce at least one non-alphanumeric character for your IAM user passwords, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon IAM console at https://console.aws.amazon.com/iam/.

03 In the navigation panel, under Access management, select Account settings.

04 In the Password policy section, choose Change password policy, and select the Require at least one non-alphanumeric character (! @ # $ % ^ & * ( ) _ + - = [ ] { } | ') checkbox to force the IAM users to include at least one non-alphanumeric character in their password pattern. Choose Save changes to apply the changes.

Using AWS CLI

01 Run update-account-password-policy command (OSX/Linux/UNIX) to force the IAM users to include at least one non-alphanumeric character in their password pattern (the command does not produce an output):

aws iam update-account-password-policy
  --require-symbols

Case G: To enforce password expiration with a threshold of 90 days or less for your IAM user passwords, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon IAM console at https://console.aws.amazon.com/iam/.

03 In the navigation panel, under Access management, select Account settings.

04 In the Password policy section, choose Change password policy, and enter a value of less than or equal to 90 in the Enable password expiration in day(s) box, to force the IAM users to use a compliant expiration date for their passwords. Choose Save changes to apply the changes.

Using AWS CLI

01 Run update-account-password-policy command (OSX/Linux/UNIX) to set the right number of days during which an IAM user password is valid (the command does not produce an output):

aws iam update-account-password-policy
  --max-password-age 90

Case H: To enforce the prevention of reusing IAM user passwords, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon IAM console at https://console.aws.amazon.com/iam/.

03 In the navigation panel, under Access management, select Account settings.

04 In the Password policy section, choose Change password policy, select the Prevent password reuse checkbox and enter a value between 1 and 24 in the Remember password(s) box to prevent the IAM user password reuse. Choose Save changes to apply the changes.

Using AWS CLI

01 Run update-account-password-policy command (OSX/Linux/UNIX) to set the number of previous passwords that Amazon IAM users are prevented from reusing (the command does not produce an output):

aws iam update-account-password-policy
  --password-reuse-prevention 5

References

AWS Documentation
AWS Identity and Access Management FAQs
IAM Best Practices
Setting an Account Password Policy for IAM Users

AWS Command Line Interface (CLI) Documentation
iam
get-account-password-policy
update-account-password-policy

Publication date May 24, 2016

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

No thanks, back to article

You are auditing:

IAM Password Policy

Risk Level: Medium

Audit

Using AWS Console

Using AWS CLI

Using AWS Console

Using AWS CLI

Using AWS Console

Using AWS CLI

Using AWS Console

Using AWS CLI

Using AWS Console

Using AWS CLI

Using AWS Console

Using AWS CLI

Using AWS Console

Using AWS CLI

Using AWS Console

Using AWS CLI

Remediation / Resolution

Using Terraform (AWS Provider)

Using AWS Console

Using AWS CLI

Using AWS Console

Using AWS CLI

Using AWS Console

Using AWS CLI

Using AWS Console

Using AWS CLI

Using AWS Console

Using AWS CLI

Using AWS Console

Using AWS CLI

Using AWS Console

Using AWS CLI

Using AWS Console

Using AWS CLI

References

Related IAM rules