Skip to main content

πŸ›‘οΈ AWS Account IAM Password Policy Number of passwords to remember is not set to 24🟒

  • Contextual name: πŸ›‘οΈ IAM Password Policy Number of passwords to remember is not set to 24🟒
  • ID: /ce/ca/aws/account/password-policy-number-of-passwords-to-remember-24
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: SECURITY

Logic​

Similar Policies​

Similar Internal Rules​

RulePoliciesFlags
βœ‰οΈ dec-x-f7c2faac1

Description​

Open File

Description​

IAM password policies can prevent the reuse of a given password by the same user. It is recommended that the password policy prevent the reuse of passwords.

Rationale​

Preventing password reuse increases account resiliency against brute force login attempts.

Audit​

Perform the following to ensure the password policy is configured as prescribed:

From Console​
  1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings).
  2. Go to IAM Service on the AWS Console.
  3. Click on Account Settings on the Left Pane.
  4. Ensure Prevent password reuse is checked.
  5. Ensure Number of passwords to remember is set to 24.
From Command Line​
  1. Run the following command:
aws iam get-account-password-policy

Ensure the output of the above command includes "PasswordReusePrevention": 24.

References​

  1. CCE-78908-1
  2. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html
  3. https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#configure-strong-password-policy

Remediation​

Open File

Remediation​

Perform the following to set the password policy as prescribed:

From Console​

  1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings).
  2. Go to IAM Service on the AWS Console.
  3. Click on Account Settings on the Left Pane.
  4. Check Prevent password reuse.
  5. Set Number of passwords to remember is set to 24.

From Command Line​

  1. Run the following command:
aws iam update-account-password-policy --password-reuse-prevention 24

Note: All commands starting with aws iam update-account-password-policy can be combined into a single command.

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 4 Regulated entities would typically put in place processes to ensure that identities and credentials are issued, managed, verified, revoked and audited for authorised devices, users and software/processes.88no data
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 5 The strength of identification and authentication would typically be commensurate with the impact should an identity be falsified. Common techniques for increasing the strength of identification and authentication include the use of strong password techniques (i.e. length, complexity, re-use limitations and frequency of change), utilisation of cryptographic techniques and increasing the number and type of authentication factors used. Authentication factors include something an individual: a. knows - for example, user IDs and passwords; b. has - for example, a security token or other devices in the person’s possession used for the generation of one-time passwords; c. is - for example, retinal scans, hand scans, signature scans, digital signature, voice scans or other biometrics.33no data
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [IAM.7] Password policies for IAM users should have strong configurations12no data
πŸ’Ό CIS AWS v1.2.0 β†’ πŸ’Ό 1.10 Ensure IAM password policy prevents password reuse11no data
πŸ’Ό CIS AWS v1.3.0 β†’ πŸ’Ό 1.9 Ensure IAM password policy prevents password reuse11no data
πŸ’Ό CIS AWS v1.4.0 β†’ πŸ’Ό 1.9 Ensure IAM password policy prevents password reuse11no data
πŸ’Ό CIS AWS v1.5.0 β†’ πŸ’Ό 1.9 Ensure IAM password policy prevents password reuse - Level 1 (Automated)11no data
πŸ’Ό CIS AWS v2.0.0 β†’ πŸ’Ό 1.9 Ensure IAM password policy prevents password reuse - Level 1 (Automated)11no data
πŸ’Ό CIS AWS v3.0.0 β†’ πŸ’Ό 1.9 Ensure IAM password policy prevents password reuse - Level 1 (Automated)11no data
πŸ’Ό CIS AWS v4.0.0 β†’ πŸ’Ό 1.9 Ensure IAM password policy prevents password reuse (Automated)1no data
πŸ’Ό CIS AWS v4.0.1 β†’ πŸ’Ό 1.9 Ensure IAM password policy prevents password reuse (Automated)1no data
πŸ’Ό CIS AWS v5.0.0 β†’ πŸ’Ό 1.8 Ensure IAM password policy prevents password reuse (Automated)1no data
πŸ’Ό CIS AWS v6.0.0 β†’ πŸ’Ό 2.8 Ensure IAM password policy prevents password reuse (Automated)1no data
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Credential Lifecycle Management18no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-2(1) Automated System Account Management (M)(H)18no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-2(3) Disable Accounts (M)(H)4no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό IA-5 Authenticator Management (L)(M)(H)61432no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό IA-5(1) Password-based Authentication (L)(M)(H)18no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό IA-5 Authenticator Management (L)(M)(H)132no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό IA-5(1) Password-based Authentication (L)(M)(H)8no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-2(1) Automated System Account Management (M)(H)18no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-2(3) Disable Accounts (M)(H)4no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό IA-5 Authenticator Management (L)(M)(H)432no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό IA-5(1) Password-based Authentication (L)(M)(H)8no data
πŸ’Ό GDPR β†’ πŸ’Ό Art. 25 Data protection by design and by default1010no data
πŸ’Ό ISO/IEC 27001:2013 β†’ πŸ’Ό A.9.3.1 Use of secret authentication information33no data
πŸ’Ό ISO/IEC 27001:2013 β†’ πŸ’Ό A.9.4.3 Password management system11no data
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 5.17 Authentication information11no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.AC-1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes1934no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.AC-6: Identities are proofed and bound to credentials and asserted in interactions413no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.AC-7: Users, devices, and other assets are authenticated (e.g., single-factor, multi-factor) commensurate with the risk of the transaction (e.g., individuals' security and privacy risks and other organizational risks)1923no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-01: Identities and credentials for authorized users, services, and hardware are managed by the organization42no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-02: Identities are proofed and bound to credentials based on the context of interactions13no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-03: Users, services, and hardware are authenticated53no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties116no data
πŸ’Ό NIST SP 800-53 Revision 4 β†’ πŸ’Ό IA-5 AUTHENTICATOR MANAGEMENT1522no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-2(1) Account Management _ Automated System Account Management418no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-2(3) Account Management _ Disable Accounts14no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-3(15) Access Enforcement _ Discretionary and Mandatory Access Control13no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό IA-5(1) Authenticator Management _ Password-based Authentication8no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 8.2.3 Passwords/passphrases must have complexity and strength.12no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 8.2.4 Change user passwords/passphrases at least once every 90 days.3no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 8.2.5 Do not allow an individual to submit a new password/passphrase that is the same as any of the last four passwords/passphrases he or she has used.12no data
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 8.3.6 If passwords/passphrases are used as authentication factors to meet Requirement 8.3.1, they meet the minimum level of complexity.2no data
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 8.3.7 Individuals are not allowed to submit a new password/passphrase that is the same as any of the last four passwords/passphrases used.2no data
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 8.3.9 If passwords/passphrases are used as the only authentication factor for user access then either passwords/passphrases are changed at least once every 90 days, or the security posture of accounts is dynamically analyzed.3no data
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 8.3.10 If passwords/passphrases are used as the only authentication factor for customer user access to cardholder data, then guidance is provided to customer users.14no data
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 8.3.6 If passwords/passphrases are used as authentication factors to meet Requirement 8.3.1, they meet the minimum level of complexity.12no data
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 8.3.7 Individuals are not allowed to submit a new password/passphrase that is the same as any of the last four passwords/passphrases used.2no data
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 8.3.9 If passwords/passphrases are used as the only authentication factor for user access then either passwords/passphrases are changed at least once every 90 days, or the security posture of accounts is dynamically analyzed.3no data
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 8.3.10 If passwords/passphrases are used as the only authentication factor for customer user access to cardholder data, then guidance is provided to customer users.114no data
πŸ’Ό SOC 2 β†’ πŸ’Ό CC6.1-8 Manages Identification and Authentication1824no data
πŸ’Ό UK Cyber Essentials β†’ πŸ’Ό 2.1.2 Change any default or guessable account passwords23no data
πŸ’Ό UK Cyber Essentials β†’ πŸ’Ό 4.2.2 Use technical controls to manage the quality of passwords.23no data
πŸ’Ό UK Cyber Essentials β†’ πŸ’Ό 4.2.3 Support users to choose unique passwords for their work accounts11no data
πŸ’Ό UK Cyber Essentials β†’ πŸ’Ό 4.2.4 The password element of the multi-factor authentication23no data