AWS IAM Password Policy Allows Password Reuse

This policy identifies IAM policies which allow password reuse . AWS IAM (Identity & Access Management) allows customers to secure AWS console access. As a security best practice, customers must have strong password policies in place.

Policy Details

Policy Subtype
Run, Build
Severity
Medium
Template Type
Terraform

Build Rules

AWS IAM password policy allows password reuse.
JSON Query:
$.resource[*].aws_iam_account_password_policy[*].*[*].password_reuse_prevention == 0
Recommendation:
Recommended solution for restricting password reuse.
It is recommended not to allow password reuse. Please make sure your template has "password_reuse_prevention" attribute set to a non-zero value.
For example:
"aws_iam_account_password_policy": [ { "<am_account_password_policy_name>": [ { "password_reuse_prevention": 10 } ] } ]

Run Rule Recommendation

  1. Sign in to the AWS console and navigate to the 'IAM' service.
  2. Click on 'Account Settings', check 'Prevent password reuse'.
Remediation CLI Command:
aws iam update-account-password-policy --minimum-password-length 14 --require-uppercase-characters --require-lowercase-characters --require-numbers --require-symbols --allow-users-to-change-password --password-reuse-prevention 24 --max-password-age 90
CLI Command Description:
This CLI command requires 'iam:UpdateAccountPasswordPolicy' permission. Successful execution will update the password policy to set the minimum password length to 14, require lowercase, uppercase, symbol, allow users to reset password, cannot reuse the last 24 passwords and password expiration to 90 days.

Compliance

There are 11 standards that are applicable to this policy:
  • CIS v1.2.0 (AWS)
  • MITRE ATT&CK [Beta]
  • HITRUST CSF v9.3
  • GDPR
  • HIPAA
  • NIST 800-171 Rev1
  • SOC 2
  • PIPEDA
  • CSA CCM v3.0.1
  • NIST 800-53 Rev4
  • CCPA 2018

Recommended For You