AWS IAM Password Policy

Risk level: Medium (not acceptable risk)

Rule ID: IAM-005, IAM-006, IAM-007, IAM-008, IAM-009, IAM-010, IAM-011, IAM-012

Ensure that your AWS IAM users are using a strong password policy to define password requirements such as minimum length, expiration date, whether it requires a certain pattern, and so forth.

This rule can help you with the following compliance standards:

CISAWSF
PCI
APRA
MAS
NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

Enforcing AWS IAM passwords strength, pattern and rotation is vital when it comes to maintaining the security of your AWS account. Having a strong password policy in use will significantly reduce the risk of password-guessing and brute-force attacks.

Audit

Case A (Risk Level: High). To determine if your AWS account has a password policy in use, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, select Account Settings.

04 In the Password Policy section, check the password policy current state. If the policy configuration does not enforce any of the predefined requirements provided by AWS and it displays the following message: “Currently, this AWS account does not have a password policy. Specify a password policy below”, your AWS account does not have an active IAM password policy and is not protected against unauthorized access.

Using AWS CLI

01 Run get-account-password-policy command (OSX/Linux/UNIX) to reveal the password policy for your AWS account:

aws iam get-account-password-policy

02 The command output should return the IAM password policy configuration metadata in case it has one already implemented and a 404 (NoSuchEntity) error in case there is no policy currently assigned:

A client error (NoSuchEntity) occurred when calling the GetAccountPasswordPolicy operation: The Password Policy with domain name 356366855517 cannot be found.

If the 404 (NoSuchEntity) error is returned, your AWS account does not have an active IAM password policy and is not currently protected against unauthorized access.

Case B (Risk Level: Medium). To determine if your IAM password policy enforces a minimum password length of 14 characters, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, select Account Settings.

04 In the Password Policy section, check the Minimum password length current value. If the current value for the password length is less than 14, the password policy configuration is not following IAM security best practices.

Using AWS CLI

01 Run get-account-password-policy command (OSX/Linux/UNIX) to reveal the password policy for your AWS account:

aws iam get-account-password-policy

02 The command output should return the IAM password policy current configuration metadata:

{
    "PasswordPolicy": {
        "AllowUsersToChangePassword": true,
        "RequireLowercaseCharacters": false,
        "RequireUppercaseCharacters": false,
        "MinimumPasswordLength": 8,
        "RequireNumbers": false,
        "RequireSymbols": false,
        "HardExpiry": false,
        "ExpirePasswords": false
    }
}

If In the MinimumPasswordLength (highlighted) parameter value is less than 14, the password policy current configuration is not following IAM security best practices.

Case C (Risk Level: Medium). To determine if your IAM password policy enforces at least one lowercase letter for the user passwords, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, select Account Settings.

04 In the Password Policy section, check the Require at least one lowercase letter setting current status. If the setting is not enabled (its checkbox is not selected), the password policy configuration is not following IAM security best practices.

Using AWS CLI

01 Run get-account-password-policy command (OSX/Linux/UNIX) to reveal the password policy for your AWS account:

aws iam get-account-password-policy

02 The command output should return the IAM password policy current configuration metadata:

{
    "PasswordPolicy": {
        "AllowUsersToChangePassword": true,
        "RequireLowercaseCharacters": false,
        "RequireUppercaseCharacters": false,
        "MinimumPasswordLength": 8,
        "RequireNumbers": false,
        "RequireSymbols": false,
        "HardExpiry": false,
        "ExpirePasswords": false
    }
}

If In the RequireLowercaseCharacters (highlighted) parameter value is set to false, the policy current configuration is not enforcing lowercase letters for user passwords, hence is not following IAM security best practices.

Case D (Risk Level: Medium). To determine if your IAM password policy enforces at least one uppercase letter for the user passwords, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

In the left navigation panel, select Account Settings.

04 In the Password Policy section, check the Require at least one uppercase letter current status. If the setting is not enabled (its checkbox is not selected), the password policy configuration is not following IAM security best practices.

Using AWS CLI

01 Run get-account-password-policy command (OSX/Linux/UNIX) to reveal the password policy for your AWS account:

aws iam get-account-password-policy

02 The command output should return the IAM password policy current configuration metadata:

{
    "PasswordPolicy": {
        "AllowUsersToChangePassword": true,
        "RequireLowercaseCharacters": false,
        "RequireUppercaseCharacters": false,
        "MinimumPasswordLength": 8,
        "RequireNumbers": false,
        "RequireSymbols": false,
        "HardExpiry": false,
        "ExpirePasswords": false
    }
}

If the RequireUppercaseCharacters (highlighted) parameter value is set to false, the policy current configuration is not enforcing uppercase letters for user passwords, hence is not following IAM security best practices.

Case E (Risk Level: Medium). To determine if your IAM password policy enforces at least one number for the user passwords, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, select Account Settings.

04 In the Password Policy section, check the Require at least one number setting current status. If the setting is not enabled (its checkbox is not selected), the password policy configuration is not following IAM security best practices.

Using AWS CLI

01 Run get-account-password-policy command (OSX/Linux/UNIX) to reveal the password policy for your AWS account:

aws iam get-account-password-policy

02 The command output should return the IAM password policy current configuration metadata:

{
    "PasswordPolicy": {
        "AllowUsersToChangePassword": true,
        "RequireLowercaseCharacters": false,
        "RequireUppercaseCharacters": false,
        "MinimumPasswordLength": 8,
        "RequireNumbers": false,
        "RequireSymbols": false,
        "HardExpiry": false,
        "ExpirePasswords": false
    }
}

If the RequireNumbers (highlighted) parameter value is set to false, the policy current configuration is not enforcing numbers for user passwords, hence is not following IAM security best practices.

Case F (Risk Level: Medium). To determine if your IAM password policy enforces at least one non-alphanumeric character for the user passwords, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, select Account Settings.

04 In the Password Policy section, check the Require at least one non-alphanumeric character current status. If the setting is not enabled (its checkbox is not selected), the password policy current configuration is not following IAM security best practices.

Using AWS CLI

01 Run get-account-password-policy command (OSX/Linux/UNIX) to reveal the password policy for your AWS account:

aws iam get-account-password-policy

02 The command output should return the IAM password policy current configuration metadata:

{
    "PasswordPolicy": {
        "AllowUsersToChangePassword": true,
        "RequireLowercaseCharacters": false,
        "RequireUppercaseCharacters": false,
        "MinimumPasswordLength": 8,
        "RequireNumbers": false,
        "RequireSymbols": false,
        "HardExpiry": false,
        "ExpirePasswords": false
    }
}

If the RequireSymbols (highlighted) parameter value is set to false, the policy current configuration is not enforcing non-alphanumeric characters for user passwords, hence is not following IAM security best practices.

Case G (Risk Level: Medium). To determine if your IAM password policy enforces password expiration with a defined threshold of 90 days or less, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, select Account Settings.

04 In the Password Policy section, check the Enable password expiration current status. If the setting is not enabled (its checkbox is not selected) or the setting is enabled and the value for the Password expiration period (in days) is greater than 90 (days), the password policy current configuration is not following IAM security best practices.

Using AWS CLI

01 Run get-account-password-policy command (OSX/Linux/UNIX) to reveal the password policy for your AWS account:

aws iam get-account-password-policy

02 The command output should return the IAM password policy current configuration metadata:

{
    "PasswordPolicy": {
        "AllowUsersToChangePassword": true,
        "RequireLowercaseCharacters": false,
        "RequireUppercaseCharacters": false,
        "MinimumPasswordLength": 8,
        "RequireNumbers": false,
        "HardExpiry": false,
        "RequireSymbols": false,
        "MaxPasswordAge": 120,
        "ExpirePasswords": true
    }
}

If the ExpirePasswords (highlighted) parameter value is set to false, the policy current configuration is not enforcing password expiration. If In the ExpirePasswords parameter value is set to true but the MaxPasswordAge (highlighted) value is greater than 90, the policy configuration is not enforcing an optimal expiration date (in days) for user passwords, hence is not following IAM security best practices.

Case H (Risk Level: Medium). To determine if your IAM password policy enforces prevention of reusing passwords, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, select Account Settings.

04 In the Password Policy section, check the Prevent password reuse setting current status. If the setting is not enabled (its checkbox is not selected), the password policy configuration is not following IAM security best practices.

Using AWS CLI

01 Run get-account-password-policy command (OSX/Linux/UNIX) to reveal the password policy for your AWS account:

aws iam get-account-password-policy

02 The command output should return the IAM password policy current configuration metadata:

{
    "PasswordPolicy": {
        "AllowUsersToChangePassword": false,
        "RequireLowercaseCharacters": false,
        "RequireUppercaseCharacters": false,
        "MinimumPasswordLength": 8,
        "RequireNumbers": false,
        "RequireSymbols": false,
        "HardExpiry": false,
        "ExpirePasswords": false
    }
}

If the PasswordReusePrevention parameter is not returned with the rest of the policy metadata, the password policy current configuration is not enforcing the prevention of reusing passwords, hence is not following IAM security best practices.

Remediation / Resolution

Case A: To enable the IAM password policy for your AWS account, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, select Account Settings.

04 In the Password Policy section, click the Apply password policy button to enable the IAM password policy for all the users that access your AWS account using the management console.

Using AWS CLI

01 Run update-account-password-policy command (OSX/Linux/UNIX) to enable the IAM password policy for your AWS account (if successful, the command does not produce an output):

aws iam update-account-password-policy

Case B: To enforce a minimum length of 14 characters for your IAM user passwords, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, select Account Settings.

04 Inside the Password Policy section, in the Minimum password length box, enter a minimum value of 14 to force IAM users to change their passwords length in order to secure the access to the AWS console and adhere to IAM security best practices.

05 Click Apply password policy button to apply the policy changes.

Using AWS CLI

01 Run update-account-password-policy command (OSX/Linux/UNIX) to enforce the IAM users to change their passwords length to a value equal or greater than 14 (if successful, the command does not produce an output):

aws iam update-account-password-policy 
	--minimum-password-length 14

Case C: To enforce at least one uppercase letter for your IAM user passwords, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, select Account Settings.

04 In the Password Policy section, select the Require at least one uppercase letter checkbox to force IAM users to include at least one uppercase letter in their password pattern in order to follow IAM security best practices.

05 Click Apply password policy button to apply the policy changes.

Using AWS CLI

01 Run update-account-password-policy command (OSX/Linux/UNIX) using the --require-uppercase-characters parameter (highlighted) to enforce the IAM users to include at least one uppercase letter when they set the password (if successful, the command does not produce an output):

aws iam update-account-password-policy
	--minimum-password-length 14
	--require-uppercase-characters

Case D: To enforce at least one lowercase letter for your IAM user passwords, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, select Account Settings.

04 In the Password Policy section, select the Require at least one lowercase letter checkbox to force IAM users to include at least one lowercase letter when they set the password in order to follow IAM security best practices.

05 Click Apply password policy button to apply the policy changes.

Using AWS CLI

01 Run update-account-password-policy command (OSX/Linux/UNIX) using the –require-lowercase-characters parameter (highlighted) to enforce the IAM users to include at least one lowercase letter when they set the password (if successful, the command does not produce an output):

aws iam update-account-password-policy
	--minimum-password-length 14
	--require-uppercase-characters
	--require-lowercase-characters

Case E: To enforce at least one number for your IAM user passwords, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, select Account Settings.

04 In the Password Policy section, select the Require at least one number checkbox to force IAM users to include at least one number in their password pattern in order to follow IAM security best practices.

05 Click Apply password policy button to apply the policy changes.

Using AWS CLI

01 Run update-account-password-policy command (OSX/Linux/UNIX) using the –require-numbers parameter (highlighted) to enforce the IAM users to include at least one number when they set the password (if successful, the command does not produce an output):

aws iam update-account-password-policy
	--minimum-password-length 14
	--require-uppercase-characters
	--require-lowercase-characters
	--require-numbers

Case F: To enforce at least one non-alphanumeric character for your IAM user passwords, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, select Account Settings.

04 In the Password Policy section, select the Require at least one non-alphanumeric character checkbox to force users to include at least one non-alphanumeric character in their password pattern in order to follow IAM security best practices.

05 Click Apply password policy button to apply the policy changes.

Using AWS CLI

01 Run update-account-password-policy command (OSX/Linux/UNIX) using the --require-symbols parameter (highlighted) to enforce the IAM users to include at least one non-alphanumeric character when they set the password (if successful, the command does not produce an output):

aws iam update-account-password-policy
	--minimum-password-length 14
	--require-uppercase-characters
	--require-lowercase-characters
	--require-numbers
	--require-symbols

Case G: To enforce password expiration with a threshold of 90 days or less for your IAM user passwords, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, select Account Settings.

04 In the Password Policy section, select the Enable password expiration checkbox and enter a value equal or less than 90 in the Password expiration period (in days) box to force IAM users to use an expiration date for their passwords in order to follow IAM security best practices.

05 Click Apply password policy button to apply the policy changes.

Using AWS CLI

01 Run update-account-password-policy command (OSX/Linux/UNIX) using the --max-password-age parameter (highlighted) to set the number of days during which a password is valid (if successful, the command does not produce an output):

aws iam update-account-password-policy
	--minimum-password-length 14
	--require-uppercase-characters
	--require-lowercase-characters
	--require-numbers
	--require-symbols
	--max-password-age 60

Case H: To enforce prevention of reusing passwords for your IAM uses, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, select Account Settings.

04 In the Password Policy section, select the Prevent password reuse checkbox and enter a value between 1 and 24 in the Number of passwords to remember box to enable reuse prevention for their passwords in order to follow IAM security best practices.

05 Click Apply password policy button to apply the policy changes.

Using AWS CLI

01 Run update-account-password-policy command (OSX/Linux/UNIX) using the --password-reuse-prevention parameter (highlighted) to set the number of previous passwords that IAM users are prevented from reusing (if successful, the command does not produce an output):

aws iam update-account-password-policy
	--minimum-password-length 14
	--require-uppercase-characters
	--require-lowercase-characters
	--require-numbers
	--require-symbols
	--max-password-age 60
	--password-reuse-prevention 5

References

AWS Documentation
AWS Identity and Access Management FAQs
IAM Best Practices
Setting an Account Password Policy for IAM Users

AWS Command Line Interface (CLI) Documentation
iam
list-users
get-account-password-policy
update-account-password-policy

Publication date May 24, 2016

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

No thanks, back to article

You are auditing:

AWS IAM Password Policy

Risk level: Medium

Audit

Using AWS Console

Using AWS CLI

Using AWS Console

Using AWS CLI

Using AWS Console

Using AWS CLI

Using AWS Console

Using AWS CLI

Using AWS Console

Using AWS CLI

Using AWS Console

Using AWS CLI

Using AWS Console

Using AWS CLI

Using AWS Console

Using AWS CLI

Remediation / Resolution

Using AWS Console

Using AWS CLI

Using AWS Console

Using AWS CLI

Using AWS Console

Using AWS CLI

Using AWS Console

Using AWS CLI

Using AWS Console

Using AWS CLI

Using AWS Console

Using AWS CLI

Using AWS Console

Using AWS CLI

Using AWS Console

Using AWS CLI

References

Related IAM rules