AWS IAM Password Policy Does Not Expire In 90 Days

This policy identifies the IAM policies which does not have password expiration set to 90 days. AWS IAM (Identity & Access Management) allows customers to secure AWS console access. As a security best practice, customers must have strong password policies in place.

Policy Details

Policy Subtype
Run, Build
Severity
Medium
Template Type
Terraform

Build Rules

AWS IAM password policy does not expire in 90 days.
JSON Query:
$.resource[*].aws_iam_account_password_policy[*].*[?( @.max_password_age>90 )] is not empty
Recommendation:
Recommended solution for making sure password expires within 90 days.
It is recommended IAM policy password should expire within 90 days. Please make sure your template has "max_password_age" attribute has value set to anything equal to or below 90.
For example:
"aws_iam_account_password_policy": [ { "<am_account_password_policy_name>": [ { "max_password_age": 90 } ] } ]

Run Rule Recommendation

  1. Login to the AWS console and navigate to the 'IAM' service.
  2. On the left navigation panel, Click on 'Account Settings'.
  3. check 'Enable password expiration' and enter a password expiration period.
  4. Click on 'Apply password policy'.
Remediation CLI Command:
aws iam update-account-password-policy --minimum-password-length 14 --require-uppercase-characters --require-lowercase-characters --require-numbers --require-symbols --allow-users-to-change-password --password-reuse-prevention 24 --max-password-age 90
CLI Command Description:
This CLI command requires 'iam:UpdateAccountPasswordPolicy' permission. Successful execution will update the password policy to set the minimum password length to 14, require lowercase, uppercase, symbol, allow users to reset password, cannot reuse the last 24 passwords and password expiration to 90 days.

Compliance

There are 10 standards that are applicable to this policy:
  • MITRE ATT&CK [Beta]
  • CIS v1.2.0 (AWS)
  • HITRUST CSF v9.3
  • ISO 27001:2013
  • GDPR
  • HIPAA
  • NIST 800-171 Rev1
  • SOC 2
  • CSA CCM v3.0.1
  • NIST 800-53 Rev4

Recommended For You