AWS IAM

Password Policy Not Set

This plugin guarantees that password policy is enforced in an account.

Risk Level: Medium

Description: 

This plugin guarantees that password policy is enforced in an account.

PingSafe strongly recommends enabling password policy for accounts.

About the Service :

AWS ID and Access Management (IAM) allows you to securely manage access to AWS services and resources. With IAM, AWS users and groups can be established and managed and permissions used to enable access by AWS resources and prohibit them.

We can discover and adjust the rules so that only the services are accessible. We can thus adhere better to the less privileged principle.

Impact : 

The enforcement of the AWS IAM password's strength, pattern, and rotation are critical when it comes to keeping your AWS account safe and secure. The absence of a strong password policy will increase the risk of password guessing and brute-forcing.

Steps to reproduce :

  1. Login to AWS Management Console.
    https://console.aws.amazon.com/ 
  2. Navigate to the IAM dashboard.
    https://console.aws.amazon.com/iam 
  3. Select Account Settings under Access Management.
  4. This page displays a section named Password policy which shows the password policy of the account.
  5. This page clearly reflects that the password policy has not been set by the user and the account only uses the default password policy that is :
    1. The minimum password length is 8 characters
    2. Include a minimum of three of the following mix of character types: uppercase, lowercase, numbers, and ! @ # $ % ^ & * ( ) _ + - = [ ] { } | '
    3. Must not be identical to your AWS account name or email address
  6. This presses the need to set the appropriate password policy of the account to keep the security in check.
  7. Repeat steps for other accounts as well.

Steps for remediation :

  1. Login to AWS Management Console.
    https://console.aws.amazon.com/ 
  2. Navigate to the IAM dashboard.
    https://console.aws.amazon.com/iam 
  3. Select Account Settings under Access Management.
  4. This page displays a section named Password policy which shows the password policy of the account.
  5. This page clearly reflects that the password policy has not been set by the user and the account only uses the default password policy that is :
    1. The minimum password length is 8 characters
    2. Include a minimum of three of the following mix of character types: uppercase, lowercase, numbers, and ! @ # $ % ^ & * ( ) _ + - = [ ] { } | '
    3. Must not be identical to your AWS account name or email address
  6. This presses the need to set the appropriate password policy of the account to keep the security in check.
  7. Select the Change password policy button. In the Set Password Policy tab that appears check the required policies and then click on Save changes.
  8. Repeat steps for other accounts with the same problem as well.


References: