Unused IAM Access keys

IAM Password Policy – Securing AWS Cloud

By: Aseem Rastogi | 2 Aug 2018

Enabling IAM Password Policy

Strong passwords and policies are the first line of defense against unauthorized access & tampering. It is imperative to have a strong implementation for such a policy when using AWS cloud. Here are some of the examples –

  • ISO 27001 – A.9.2.4 – Management of secret authentication information of users
  • HIPAA 164.308(a)(5)(ii)(D) – Procedures for creating, changing, and safeguarding passwords.
  • CIS Benchmark for AWS – Section 1.5 to 1.10 provide guidance on password policy requirements, such as composition of the password.

Weak IAM password policies or absence thereof may result in compromised account or even takeover. It is strongly recommended to audit AWS account periodically and ensure proper configuration.

How to Audit AWS Account Password Policy

  1. Login to AWS console and navigate to IAM service (#1 in screen below)
  2. Click on “Apply an IAM password policy” (#2 in screen below)
  3. If it is green then AWS IAM password policy is in effect and we can proceed to reviewing its settings.
AWS IAM Password Policy
AWS IAM Password Policy

It is highly recommended to have following settings enabled (See screenshot below) –

  • Require uppercase letter in password
  • Require lowercase letter in password
  • Require number in password
  • Require special character in password
  • Enable password expiration in 30 days
  • Prevent last 5 password reuse
AWS IAM Password Complexity Rules
AWS IAM Password Complexity Rules

Remediation

After checking the rules off in the screen above “Apply Password Policy” to remediate, the security gap.

To keep AWS environment secure & in compliance with regulation above steps need to be repeated as often there is a change in AWS infrastructure. Ask us how can we help in keeping a constant watch, or request a free trial.