Ensure IAM user password is rotated every 90 days or less

It is recommended that passwords be regularly rotated. If your AWS account does have a password policy that requires password rotation, ensure that the IAM user passwords are changed according to the current password policy. Rotating passwords will reduce the window of opportunity for a password that is associated with a compromised or terminated account to be used. passwords should be rotated to ensure that data cannot be accessed with an old password which might have been lost, cracked, or stolen.

Risk Level: High
Cloud Entity: IAM User
CloudGuard Rule ID: D9.AWS.IAM.98
Category: Security, Identity, & Compliance

GSL LOGIC

IamUser where passwordEnabled='true' should have passwordLastChanged after(-90, 'days')

REMEDIATION

From Portal

  1. Login to the AWS Management Console: https://console.aws.amazon.com/
  2. Click Services
  3. Click IAM
  4. Click on Users
  5. Select on the relevant user
  6. Click on Security Credentials
  7. Under 'Sign-in credentials' go to 'Console password' and click on 'Manage'
  8. select 'Require password reset'
    Note : make sure that the user has permission to change his or her password.
  9. Login to this user account and create new password.
  10. Repeat steps 5-9 for other relevant IAM users.

From Command Line

  1. To update password, run:
aws iam update-login-profile --user-name USER_NAME --password NEW_PASSWORD --password-reset-required

References

  1. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_admin-change-user.html
  2. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_enable-user-change.html
  3. https://docs.aws.amazon.com/cli/latest/reference/iam/update-login-profile.html

IAM User

An IAM user is an entity that you create in AWS to represent the person or service that uses it to interact with AWS. A user in AWS consists of a name and credentials.

Compliance Frameworks

  • AWS CloudGuard Best Practices
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS HITRUST v11.0.0
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-53 Rev 5
  • AWS PCI-DSS 4.0
  • AWS Security Risk Management