AWS IAM

Password Policy Missing- 'Require Uppercase'

This plugin ensures that the password policy needs uppercase letters to be used.

Risk Level: Medium

Description: 

This plugin ensures that the password policy needs uppercase letters to be used. A strong password policy requires minimum duration, expiry time, reuse, and use of symbols.

PingSafe strongly recommends updating the password policy to require the use of uppercase letters.

About the Service :

AWS ID and Access Management (IAM) allows you to securely manage access to AWS services and resources. With IAM, AWS users and groups can be established and managed and permissions used to enable access by AWS resources and prohibit them.

We can discover and adjust the rules so that only the services are accessible. We can thus adhere better to the less privileged principle.

Impact : 

The enforcement of the AWS IAM password's strength, pattern, and rotation are critical when it comes to keeping your AWS account safe and secure.

The absence of a strong password policy will increase the risk of password guessing and brute-forcing.

Steps to reproduce :

  1. Login to AWS Management Console.
    https://console.aws.amazon.com/ 
  2. Navigate to the IAM dashboard.
    https://console.aws.amazon.com/iam 
  3. Select Account Settings under Access Management.
  4. This page displays a section named Password policy which shows the password policy of the account.
  5. The password should have at least one uppercase letter which is not the case specified clearly in this password policy. This clearly states that the password policy is weak.
  6. Repeat steps for other accounts as well.

Steps for remediation :

  1. Login to AWS Management Console.
    https://console.aws.amazon.com/ 
  2. Navigate to the IAM dashboard.
    https://console.aws.amazon.com/iam 
  3. Select Account Settings under Access Management.
  4. This page displays a section named Password policy which shows the password policy of the account.
  5. The password should have at least one uppercase character which is not the case specified clearly in this password policy. This clearly states that the password policy is weak.
  6. Select the Change password policy button. In the Set Password Policy tab that appears check the Require at least one uppercase letter from Latin alphabet (A-Z) and then click on Save changes.
  7. Repeat steps for other accounts with the same problem as well.

References: