🛡️ AWS Account does not have an IAM Password Policy🟢

• Contextual name: 🛡️ Account does not have an IAM Password Policy🟢
• ID: /ce/ca/aws/iam/password-policy
• Tags:
  • 🟢 Policy with categories
  • 🟢 Policy with type
  • 🟢 Production policy
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: SECURITY

Logic

• 🧠 prod.logic.yaml🟢
  • 📗 AWS Account
  • 🔌 AWS IAM Password Policy - object.extracts.yaml
  • 🧪 test-data.json

Similar Policies

• Cloud Conformity: IAM Password Policy

Description

Open File

Description

This policy identifies AWS Accounts that do not have an IAM password policy configured.

A strong password policy helps enforce requirements such as minimum password length, expiration period, and complexity rules for IAM users.

Rationale

IAM password policies enable administrators to enforce password strength and complexity for users signing in to the AWS Management Console. Without a password policy, users may create weak passwords that are easily guessed or compromised, increasing the risk of unauthorized access to your AWS environment.

Audit

This policy flags an AWS Account as INCOMPLIANT if there is no related AWS IAM Password Policy.

References

1. CCE-78907-3
2. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html
3. https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#configure-strong-password-policy

Remediation

Open File

Remediation

Configure an IAM Password Policy

Set a strong password policy to enforce minimum length, complexity, expiration, and password reuse restrictions for IAM users.

From Console

1. Sign in to the AWS Management Console with permissions to manage IAM account settings.

2. Navigate to the IAM service.

3. In the left navigation pane, select Account Settings.

4. In the Password policy section, choose Change password policy and configure the following (as an example):

   • Enforce minimum password length: Set to 14 characters.
   • Require at least one uppercase letter (A-Z).
   • Require at least one lowercase letter (a-z).
   • Require at least one number.
   • Require at least one non-alphanumeric character (e.g., ! @ # $ % ^ & *).
   • Enable password expiration: Set Expire passwords in ≤ 90 days.
   • Prevent password reuse: Remember 24 previous passwords.

5. Click Save changes to apply the policy.

From Command Line

Run the following AWS CLI command to configure the password policy:

... see more

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [IAM.7] Password policies for IAM users should have strong configurations		1	3		no data
💼 AWS Well-Architected → 💼 SEC02-BP01 Use strong sign-in mechanisms			5		no data
💼 Cloudaware Framework → 💼 Credential Lifecycle Management			24		no data
💼 FedRAMP High Security Controls → 💼 AC-2(1) Automated System Account Management (M)(H)			26		no data
💼 FedRAMP High Security Controls → 💼 AC-2(3) Disable Accounts (M)(H)			6		no data
💼 FedRAMP High Security Controls → 💼 IA-5(1) Password-based Authentication (L)(M)(H)		1	13		no data
💼 FedRAMP Low Security Controls → 💼 IA-5(1) Password-based Authentication (L)(M)(H)			13		no data
💼 FedRAMP Moderate Security Controls → 💼 AC-2(1) Automated System Account Management (M)(H)			26		no data
💼 FedRAMP Moderate Security Controls → 💼 AC-2(3) Disable Accounts (M)(H)			6		no data
💼 FedRAMP Moderate Security Controls → 💼 IA-5(1) Password-based Authentication (L)(M)(H)			13		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-2(1) Account Management _ Automated System Account Management		4	26		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-2(3) Account Management _ Disable Accounts		1	6		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-3(15) Access Enforcement _ Discretionary and Mandatory Access Control			21		no data
💼 NIST SP 800-53 Revision 5 → 💼 IA-5(1) Authenticator Management _ Password-based Authentication			13		no data
💼 PCI DSS v3.2.1 → 💼 8.2.3 Passwords/passphrases must have complexity and strength.		1	3		no data
💼 PCI DSS v3.2.1 → 💼 8.2.5 Do not allow an individual to submit a new password/passphrase that is the same as any of the last four passwords/passphrases he or she has used.		1	3		no data
💼 PCI DSS v4.0.1 → 💼 8.3.6 If passwords/passphrases are used as authentication factors to meet Requirement 8.3.1, they meet the minimum level of complexity.			3		no data
💼 PCI DSS v4.0.1 → 💼 8.3.7 Individuals are not allowed to submit a new password/passphrase that is the same as any of the last four passwords/passphrases used.			3		no data
💼 PCI DSS v4.0 → 💼 8.3.6 If passwords/passphrases are used as authentication factors to meet Requirement 8.3.1, they meet the minimum level of complexity.		1	3		no data
💼 PCI DSS v4.0 → 💼 8.3.7 Individuals are not allowed to submit a new password/passphrase that is the same as any of the last four passwords/passphrases used.			3		no data