AWS IAM password policy allows password reuse

Description

Password policies are implemented to enforce compliance with password complexity standards. The IAM password policy must prohibit the reuse of passwords, ensuring that each new password is unique. This practice enhances security by reducing the risk of compromise, particularly in defending against brute force attack vectors.

Fix - Runtime

AWS Console

To change the password policy in the AWS Console you will need appropriate permissions to View Identity Access Management Account Settings.

To manually set the password policy with a minimum length, follow these steps:

  1. Log in to the AWS Management Console as an IAM user at https://console.aws.amazon.com/iam/.
  2. Navigate to IAM Services.
  3. On the Left Pane click Account Settings.
  4. Select Prevent password reuse.
  5. For Number of passwords to remember” enter 24**.
  6. Click Apply password policy.
CLI Command

To change the password policy, use the following command:

aws iam update-account-password-policy --password-reuse-prevention 24

Fix - Buildtime

Terraform
resource "aws_iam_account_password_policy" "strict" {
  minimum_password_length        = 8
  require_lowercase_characters   = true
  require_numbers                = true
  require_uppercase_characters   = true
  require_symbols                = true
  apassword_reuse_prevention  = 24
}
ReLambda