Ensure IAM password policy prevents password reuse

IAM password policies can prevent the reuse of a given password by the same user. It is recommended that the password policy prevent the reuse of passwords. Preventing password reuse increases account resiliency against brute force login attempts.

Risk Level: High
Cloud Entity: AWS Identity and Access Management (IAM)
CloudGuard Rule ID: D9.AWS.IAM.14
Category: Security, Identity, & Compliance

GSL LOGIC

Iam should have passwordPolicy.passwordReusePrevention=24

REMEDIATION

From Portal

  1. Go to AWS Management Console: https://console.aws.amazon.com/iam/
  2. Navigate to IAM Services.
  3. Under Access management go to Account settings.
  4. Select 'Change password policy'.
  5. Select 'Prevent password reuse'.
  6. Set '24' in the Remember passwords.
  7. Click save changes.

From TF
Set the 'password_reuse_prevention' to be equal to 24:

resource "aws_iam_account_password_policy" "strict" {
	...
	password_reuse_prevention       = 24
	...
}

From Command Line
run:

aws iam update-account-password-policy --password-reuse-prevention 24

References

  1. https://workbench.cisecurity.org/benchmarks/679
  2. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html
  3. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/update-account-password-policy.html

AWS Identity and Access Management (IAM)

AWS Identity and Access Management (IAM) enables you to manage access to AWS services and resources securely. Using IAM, you can create and manage AWS users and groups, and use permissions to allow and deny their access to AWS resources.
IAM is a feature of your AWS account offered at no additional charge. You will be charged only for use of other AWS services by your users.

Compliance Frameworks

  • AWS CIS Foundations v. 1.1.0
  • AWS CIS Foundations v. 1.2.0
  • AWS CIS Foundations v. 1.3.0
  • AWS CIS Foundations v. 1.4.0
  • AWS CIS Foundations v. 1.5.0
  • AWS CSA CCM v.3.0.1
  • AWS CloudGuard Best Practices
  • AWS CloudGuard Well Architected Framework
  • AWS GDPR Readiness
  • AWS HIPAA
  • AWS HITRUST
  • AWS HITRUST v11.0.0
  • AWS ISO 27001:2013
  • AWS ITSG-33
  • AWS LGPD regulation
  • AWS MAS TRM Framework
  • AWS MITRE ATT&CK Framework v10
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-171
  • AWS NIST 800-53 Rev 4
  • AWS NIST 800-53 Rev 5
  • AWS NIST CSF v1.1
  • AWS PCI-DSS 3.2
  • AWS PCI-DSS 4.0