Ensure IAM Password Policy Prevents Password Reuse Rule
This rule focuses on preventing password reuse within IAM password policy.
| Rule | Ensure IAM password policy prevents password reuse |
| Framework | cis_v140 |
| Severity | ✔ Medium |
Ensuring IAM Password Policy Prevents Password Reuse for CIS v1.4.0
Introduction to the Rule
The Center for Internet Security (CIS) provides benchmarks that are recognized best practices for securing IT systems and data against threats. CIS v1.4.0 refers to the latest AWS Foundations Benchmark, which includes a recommendation to prevent password reuse in IAM (Identity and Access Management) policy settings. This mitigates the risks associated with using previously compromised credentials.
Detailed Rule Description
The password policy should be configured in such a way that it prevents users from reusing a specified number of their previous passwords. This is to ensure that if a password is compromised, it cannot be reused by the user, further reinforcing the security.
Troubleshooting Steps
If the IAM password policy does not prevent password reuse as outlined by CIS benchmarks:
- 1.Verify the current IAM password policy.
- 2.Check the
parameter.PasswordReusePrevention - 3.If the
is either not set or set to a value that is too low, adjust it accordingly.PasswordReusePrevention
Necessary CLI Commands
Use the
aws iam get-account-password-policyaws iam get-account-password-policy
If the
PasswordReusePreventionUse the
aws iam update-account-password-policyaws iam update-account-password-policy --password-reuse-prevention <value>
Replace
<value>Step-by-Step Guide for Remediation
Check Current Password Policy
First, review the current IAM password policy to determine if it meets the CIS benchmark standards.
- 1.Open the AWS Management Console.
- 2.Navigate to IAM.
- 3.In the navigation pane, choose "Account settings" to review the IAM password policy details.
Update Password Policy
If the current policy does not prevent password reuse or the value set is not as per CIS recommendations:
- 1.In the IAM dashboard, select "Account settings".
- 2.Scroll to the "Password Policy" section.
- 3.Click on "Change Password Policy".
- 4.Check the box "Prevent password reuse" and enter the number of passwords to remember. CIS recommends a minimum of 24.
- 5.Click "Save Changes" to apply the new settings.
CLI Command for Remediation
Alternatively, adjust the password policy using AWS CLI:
- 1.Open your terminal or command prompt.
- 2.Run the following command to set up password reuse prevention:
aws iam update-account-password-policy --password-reuse-prevention 24
- 1.Verify that the policy has been updated by running the get-account-password-policy command again:
aws iam get-account-password-policy
Remediation Verification
Go back to the IAM dashboard in the AWS Management Console, and verify that the password policy now reflects the changes you've made to comply with the CIS v1.4.0 benchmark for preventing password reuse.
Maintaining strict password policies including preventing password reuse is a fundamental security best practice for AWS environments. Following the steps outlined in this guide will ensure your IAM password policy complies with CIS benchmarks and bolsters your overall AWS security posture.