Ensure that your Amazon IAM users are using a strong password policy to define password requirements such as minimum length, expiration date, whether it requires a certain pattern, and so forth.
This rule can help you with the following compliance standards:
- CISAWSF
- PCI
- APRA
- MAS
- NIST4
For further details on compliance standards supported by Conformity, see here.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
Enforcing Amazon IAM passwords strength, pattern, and rotation is vital when it comes to maintaining the security of your AWS cloud account. Having a strong password policy in use will significantly reduce the risk of password-guessing methods and brute-force attacks.
Audit
Case A (Severity: High): To determine if your AWS cloud account has a custom password policy in use, perform the following actions:
Case B (Severity: Medium): To determine if your custom IAM password policy enforces a minimum password length of 14 characters, perform the following actions:
Case C (Severity: Medium): To determine if your IAM password policy enforces at least one lowercase letter for the IAM user passwords, perform the following actions:
Case D (Severity: Medium): To determine if your IAM password policy enforces at least one uppercase letter for the IAM user passwords, perform the following actions:
Case E (Severity: Medium): To determine if your IAM password policy enforces at least one number for the IAM user passwords, perform the following actions:
Case F (Severity: Medium): To determine if your IAM password policy enforces at least one non-alphanumeric character for the IAM user passwords, perform the following actions:
Case G (Severity: Medium): To determine if your IAM password policy enforces password expiration with a defined threshold of 90 days or less, perform the following actions:
Case H (Severity: Medium): To determine if your IAM password policy enforces prevention of reusing passwords, perform the following actions:
Remediation / Resolution
Case A: To enable and configure a custom IAM password policy for your AWS cloud account, perform the following actions:
Case B: To enforce a minimum length of 14 characters for your IAM user passwords, perform the following actions:
Case C: To enforce at least one uppercase letter for your IAM user passwords, perform the following actions:
Case D: To enforce at least one lowercase letter for your IAM user passwords, perform the following actions:
Case E: To enforce at least one number for your IAM user passwords, perform the following actions:
Case F: To enforce at least one non-alphanumeric character for your IAM user passwords, perform the following actions:
Case G: To enforce password expiration with a threshold of 90 days or less for your IAM user passwords, perform the following actions:
Case H: To enforce the prevention of reusing IAM user passwords, perform the following actions:
References
- AWS Documentation
- AWS Identity and Access Management FAQs
- IAM Best Practices
- Setting an Account Password Policy for IAM Users
- AWS Command Line Interface (CLI) Documentation
- iam
- get-account-password-policy
- update-account-password-policy