Rule: Password Policies for IAM Users with Strong Configurations
This rule focuses on enforcing strong password policies for IAM users.
| Rule | Password policies for IAM users should have strong configurations |
| Framework | CISA-cyber-essentials |
| Severity | ✔ Critical |
Password Policies for IAM Users - CISA Cyber Essentials
Description:
IAM (Identity and Access Management) is a service offered by cloud providers that enables organizations to manage user access to various resources in the cloud environment. It is important to enforce strong password policies for IAM users to ensure secure authentication and protect sensitive data. CISA (Cybersecurity and Infrastructure Security Agency) Cyber Essentials provides guidelines and best practices for securing systems against cyber threats. This policy focuses on establishing strong password configurations for IAM users, in line with the CISA Cyber Essentials recommendations.
Policy Details:
The following details outline the password policy requirements for IAM users:
- 1.
Password Complexity:
- Passwords should be at least 12 characters long.
- Passwords must contain a combination of upper and lower case letters, numbers, and special characters.
- Avoid commonly used or easily guessable passwords.
- 2.
Password Expiration:
- Enforce a password expiration period, such as 90 days or less.
- Users should be prompted to change their password before it expires.
- 3.
Password History:
- Users should not be allowed to reuse their previous 'n' passwords, where 'n' is an organization-defined number.
- 4.
Account Lockout:
- Implement an account lockout policy that temporarily locks accounts after a certain number of failed login attempts.
- Lockout duration should be set to an organization-specific value, for example, 30 minutes.
- 5.
Multi-Factor Authentication (MFA):
- Strongly encourage the use of MFA for IAM users to provide an additional layer of security.
Troubleshooting Steps:
If users encounter issues complying with the password policy, the following troubleshooting steps can be followed:
- 1.
Invalid Password Error:
- Ensure the password meets the complexity requirements (length, character types).
- Avoid using common passwords or any information associated with the user.
- 2.
Expired Password Error:
- Prompt the user to change their password following the password change procedure outlined below.
- 3.
Account Lockout:
- Advise the user to wait for the lockout duration to expire or contact the system administrator for assistance.
- Verify if the user has entered correct credentials and hasn't been locked out due to too many failed login attempts.
Code Implementation:
Depending on the cloud provider, the following code snippets can be used to configure the password policy for IAM users.
Amazon Web Services (AWS):
AWS CLI Command to update the password policy:
aws iam update-account-password-policy --minimum-password-length 12 --require-symbols --require-numbers --require-uppercase-characters --require-lowercase-characters --allow-users-to-change-password --max-password-age 90 --password-reuse-prevention 5 --hard-expiry
Microsoft Azure:
Azure CLI Command to update the password policy:
az ad tenant update --password-policy "DisablePasswordExpiration=true, PasswordLifetime=90"
Google Cloud Platform (GCP):
GCP Console steps to update the password policy:
- 1.Go to the IAM & Admin section in the GCP Console.
- 2.Select the "Password policies" tab.
- 3.Configure the desired password complexity, expiry, history, account lockout, and MFA options.
Remediation Steps:
To enforce the password policy for IAM users, follow these steps:
- 1.Review the existing password policy configuration for IAM users.
- 2.Determine the required changes based on the CISA Cyber Essentials password policy requirements.
- 3.Identify the cloud provider being used (AWS, Azure, GCP, etc.).
- 4.Based on the cloud provider, use the respective CLI commands or console instructions mentioned above to update the password policy.
- 5.Communicate the updated password policy to all IAM users and provide assistance if necessary.
- 6.Periodically review and assess the effectiveness of the password policy, making adjustments as needed to enhance security.
Remember to document any changes made to the password policy for auditing purposes.
Note:
To further enhance security, it is recommended to implement additional measures such as monitoring for unusual account activity, regularly reviewing user access privileges, and providing security awareness training to IAM users.