AWS IAM password policy does not expire in 90 days
Description
Password policies are enforced to ensure compliance with password complexity requirements. The IAM password policy should mandate password rotation or expiration within a defined time period, with a recommended expiration cycle of 90 days or less.
Reducing the effective lifespan of a password through enforced periodic changes enhances account resilience against the following security threats:
- Brute force attacks
- Unauthorized password theft or compromise, potentially occurring without user awareness
- Interception and recording of traffic, including encrypted data, by web filters and proxy servers
- The use of identical passwords across multiple systems, such as work, email, and personal accounts
- Compromise of end-user workstations through keystroke logging techniques
Fix - Runtime
AWS Console
To change the password policy in the AWS Console you will need appropriate permissions to View Identity Access Management Account Settings.
To manually set the password policy with a minimum length, use the following command:
- Log in to the AWS Management Console as an IAM user at https://console.aws.amazon.com/iam/.
- Navigate to IAM Services.
- On the Left Pane click Account Settings.
- Select Enable password expiration .
- For Password expiration period (in days)” enter 90** or less.
- Click Apply password policy.
CLI Command
Change the password policy using CLI command:
aws iam update-account-password-policy --max-password-age 90Change the password policy using CLI command:
aws iam update-account-password-policy --max-password-age 90Fix - Buildtime
Terraform
resource "aws_iam_account_password_policy" "strict" {
minimum_password_length = 8
require_lowercase_characters = true
require_numbers = true
require_uppercase_characters = true
require_symbols = true
apassword_reuse_prevention = 24
max_password_age = 89
}