Skip to main content

πŸ›‘οΈ AWS Account does not have an IAM Password Policy🟒

  • Contextual name: πŸ›‘οΈ Account does not have an IAM Password Policy🟒
  • ID: /ce/ca/aws/iam/password-policy
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: SECURITY

Logic​

Similar Policies​

Description​

Open File

Description​

This policy identifies AWS Accounts that do not have an IAM password policy configured.

A strong password policy helps enforce requirements such as minimum password length, expiration period, and complexity rules for IAM users.

Rationale​

IAM password policies enable administrators to enforce password strength and complexity for users signing in to the AWS Management Console. Without a password policy, users may create weak passwords that are easily guessed or compromised, increasing the risk of unauthorized access to your AWS environment.

Audit​

This policy flags an AWS Account as INCOMPLIANT if there is no related AWS IAM Password Policy.

References​

  1. CCE-78907-3
  2. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html
  3. https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#configure-strong-password-policy

Remediation​

Open File

Remediation​

Configure an IAM Password Policy​

Set a strong password policy to enforce minimum length, complexity, expiration, and password reuse restrictions for IAM users.

From Console​

  1. Sign in to the AWS Management Console with permissions to manage IAM account settings.

  2. Navigate to the IAM service.

  3. In the left navigation pane, select Account Settings.

  4. In the Password policy section, choose Change password policy and configure the following (as an example):

    • Enforce minimum password length: Set to 14 characters.
    • Require at least one uppercase letter (A-Z).
    • Require at least one lowercase letter (a-z).
    • Require at least one number.
    • Require at least one non-alphanumeric character (e.g., ! @ # $ % ^ & *).
    • Enable password expiration: Set Expire passwords in ≀ 90 days.
    • Prevent password reuse: Remember 24 previous passwords.

  5. Click Save changes to apply the policy.

From Command Line​

Run the following AWS CLI command to configure the password policy:

... see more

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [IAM.7] Password policies for IAM users should have strong configurations13no data
πŸ’Ό AWS Well-Architected β†’ πŸ’Ό SEC02-BP01 Use strong sign-in mechanisms4no data
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Credential Lifecycle Management23no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-2(1) Automated System Account Management (M)(H)23no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-2(3) Disable Accounts (M)(H)6no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό IA-5(1) Password-based Authentication (L)(M)(H)112no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό IA-5(1) Password-based Authentication (L)(M)(H)12no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-2(1) Automated System Account Management (M)(H)23no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-2(3) Disable Accounts (M)(H)6no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό IA-5(1) Password-based Authentication (L)(M)(H)12no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-2(1) Account Management _ Automated System Account Management423no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-2(3) Account Management _ Disable Accounts16no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-3(15) Access Enforcement _ Discretionary and Mandatory Access Control18no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό IA-5(1) Authenticator Management _ Password-based Authentication12no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 8.2.3 Passwords/passphrases must have complexity and strength.13no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 8.2.5 Do not allow an individual to submit a new password/passphrase that is the same as any of the last four passwords/passphrases he or she has used.13no data
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 8.3.6 If passwords/passphrases are used as authentication factors to meet Requirement 8.3.1, they meet the minimum level of complexity.3no data
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 8.3.7 Individuals are not allowed to submit a new password/passphrase that is the same as any of the last four passwords/passphrases used.3no data
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 8.3.6 If passwords/passphrases are used as authentication factors to meet Requirement 8.3.1, they meet the minimum level of complexity.13no data
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 8.3.7 Individuals are not allowed to submit a new password/passphrase that is the same as any of the last four passwords/passphrases used.3no data