Skip to main content

πŸ“ AWS Account IAM Password Policy Number of passwords to remember is not set to 24 🟒

  • Contextual name: πŸ“ IAM Password Policy Number of passwords to remember is not set to 24 🟒
  • ID: /ce/ca/aws/account/password-policy-number-of-passwords-to-remember-24
  • Located in: πŸ“ AWS Account

Flags​

Our Metadata​

  • Policy Type: COMPLIANCE_POLICY
  • Policy Category:
    • SECURITY

Similar Policies​

Similar Internal Rules​

RulePoliciesFlags
βœ‰οΈ dec-x-f7c2faac1

Logic​

Description​

Open File

Description​

IAM password policies can prevent the reuse of a given password by the same user. It is recommended that the password policy prevent the reuse of passwords.

Rationale​

Preventing password reuse increases account resiliency against brute force login attempts.

Audit​

Perform the following to ensure the password policy is configured as prescribed:

From Console​
  1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings).
  2. Go to IAM Service on the AWS Console.
  3. Click on Account Settings on the Left Pane.
  4. Ensure Prevent password reuse is checked.
  5. Ensure Number of passwords to remember is set to 24.
From Command Line​
  1. Run the following command:
aws iam get-account-password-policy

Ensure the output of the above command includes "PasswordReusePrevention": 24.

References​

  1. CCE-78908-1
  2. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html
  3. https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#configure-strong-password-policy

Remediation​

Open File

Remediation​

Perform the following to set the password policy as prescribed:

From Console​

  1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings).
  2. Go to IAM Service on the AWS Console.
  3. Click on Account Settings on the Left Pane.
  4. Check Prevent password reuse.
  5. Set Number of passwords to remember is set to 24.

From Command Line​

  1. Run the following command:
aws iam update-account-password-policy --password-reuse-prevention 24

Note: All commands starting with aws iam update-account-password-policy can be combined into a single command.

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 4 Regulated entities would typically put in place processes to ensure that identities and credentials are issued, managed, verified, revoked and audited for authorised devices, users and software/processes.88
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 5 The strength of identification and authentication would typically be commensurate with the impact should an identity be falsified. Common techniques for increasing the strength of identification and authentication include the use of strong password techniques (i.e. length, complexity, re-use limitations and frequency of change), utilisation of cryptographic techniques and increasing the number and type of authentication factors used. Authentication factors include something an individual: a. knows - for example, user IDs and passwords; b. has - for example, a security token or other devices in the person’s possession used for the generation of one-time passwords; c. is - for example, retinal scans, hand scans, signature scans, digital signature, voice scans or other biometrics.33
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [IAM.7] Password policies for IAM users should have strong configurations12
πŸ’Ό CIS AWS v1.2.0 β†’ πŸ’Ό 1.10 Ensure IAM password policy prevents password reuse11
πŸ’Ό CIS AWS v1.3.0 β†’ πŸ’Ό 1.9 Ensure IAM password policy prevents password reuse11
πŸ’Ό CIS AWS v1.4.0 β†’ πŸ’Ό 1.9 Ensure IAM password policy prevents password reuse11
πŸ’Ό CIS AWS v1.5.0 β†’ πŸ’Ό 1.9 Ensure IAM password policy prevents password reuse - Level 1 (Automated)11
πŸ’Ό CIS AWS v2.0.0 β†’ πŸ’Ό 1.9 Ensure IAM password policy prevents password reuse - Level 1 (Automated)11
πŸ’Ό CIS AWS v3.0.0 β†’ πŸ’Ό 1.9 Ensure IAM password policy prevents password reuse - Level 1 (Automated)11
πŸ’Ό CIS AWS v4.0.0 β†’ πŸ’Ό 1.9 Ensure IAM password policy prevents password reuse (Automated)1
πŸ’Ό CIS AWS v4.0.1 β†’ πŸ’Ό 1.9 Ensure IAM password policy prevents password reuse (Automated)1
πŸ’Ό CIS AWS v5.0.0 β†’ πŸ’Ό 1.8 Ensure IAM password policy prevents password reuse (Automated)1
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Credential Lifecycle Management17
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-2(1) Automated System Account Management (M)(H)16
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-2(3) Disable Accounts (M)(H)4
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό IA-5 Authenticator Management (L)(M)(H)61420
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό IA-5(1) Password-based Authentication (L)(M)(H)14
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό IA-5 Authenticator Management (L)(M)(H)120
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό IA-5(1) Password-based Authentication (L)(M)(H)4
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-2(1) Automated System Account Management (M)(H)16
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-2(3) Disable Accounts (M)(H)4
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό IA-5 Authenticator Management (L)(M)(H)420
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό IA-5(1) Password-based Authentication (L)(M)(H)4
πŸ’Ό GDPR β†’ πŸ’Ό Art. 25 Data protection by design and by default1010
πŸ’Ό ISO/IEC 27001:2013 β†’ πŸ’Ό A.9.3.1 Use of secret authentication information33
πŸ’Ό ISO/IEC 27001:2013 β†’ πŸ’Ό A.9.4.3 Password management system11
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 5.17 Authentication information11
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.AC-1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes1922
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.AC-6: Identities are proofed and bound to credentials and asserted in interactions48
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.AC-7: Users, devices, and other assets are authenticated (e.g., single-factor, multi-factor) commensurate with the risk of the transaction (e.g., individuals' security and privacy risks and other organizational risks)1922
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-01: Identities and credentials for authorized users, services, and hardware are managed by the organization23
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-02: Identities are proofed and bound to credentials based on the context of interactions8
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-03: Users, services, and hardware are authenticated22
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties58
πŸ’Ό NIST SP 800-53 Revision 4 β†’ πŸ’Ό IA-5 AUTHENTICATOR MANAGEMENT1522
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-2(1) Account Management _ Automated System Account Management416
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-2(3) Account Management _ Disable Accounts14
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-3(15) Access Enforcement _ Discretionary and Mandatory Access Control10
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό IA-5(1) Authenticator Management _ Password-based Authentication4
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 8.2.3 Passwords/passphrases must have complexity and strength.12
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 8.2.5 Do not allow an individual to submit a new password/passphrase that is the same as any of the last four passwords/passphrases he or she has used.12
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 8.3.6 If passwords/passphrases are used as authentication factors to meet Requirement 8.3.1, they meet the minimum level of complexity.2
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 8.3.7 Individuals are not allowed to submit a new password/passphrase that is the same as any of the last four passwords/passphrases used.2
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 8.3.6 If passwords/passphrases are used as authentication factors to meet Requirement 8.3.1, they meet the minimum level of complexity.2
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 8.3.7 Individuals are not allowed to submit a new password/passphrase that is the same as any of the last four passwords/passphrases used.2
πŸ’Ό UK Cyber Essentials β†’ πŸ’Ό 2.1.2 Change any default or guessable account passwords23
πŸ’Ό UK Cyber Essentials β†’ πŸ’Ό 4.2.2 Use technical controls to manage the quality of passwords.23
πŸ’Ό UK Cyber Essentials β†’ πŸ’Ό 4.2.3 Support users to choose unique passwords for their work accounts11
πŸ’Ό UK Cyber Essentials β†’ πŸ’Ό 4.2.4 The password element of the multi-factor authentication23