Password Policies Rule
This rule focuses on strong configurations for IAM users' password policies.
| Rule | Password policies for IAM users should have strong configurations |
| Framework | PCI v3.2.1 |
| Severity | ✔ Medium |
Password Policies for IAM Users - PCI v3 Compliance
The Payment Card Industry Data Security Standard (PCI DSS) version 3 (PCI v3) requires organizations to implement strong password policies for their Identity and Access Management (IAM) users. This helps to protect sensitive credit card information and ensure secure access to systems and applications. In order to comply with the PCI v3 requirements, the following details define the necessary configurations for password policies for IAM users.
Policy Description
The password policy for IAM users should meet the following requirements:
- 1.
Password Complexity: IAM users' passwords should contain a combination of uppercase and lowercase letters, numbers, and special characters. This requirement aims to create strong and complex passwords that are resistant to brute-force attacks.
- 2.
Password Length: The minimum length of IAM users' passwords should be at least eight characters. Longer passwords are encouraged to provide increased security against password guessing attacks.
- 3.
Password Expiration: IAM users' passwords should have a maximum validity period of 90 days. Regular password changes help minimize the impact of a compromised password.
- 4.
Password History: The password history should be enabled with a restriction of preventing re-use of the last five passwords. This prevents users from using the same passwords repeatedly and promotes the use of unique and different passwords.
- 5.
Account Lockout: Implement an account lockout policy for IAM users after six failed login attempts within a specified time frame (e.g., 30 minutes). The lockout duration should be a minimum of 30 minutes or until an administrator unlocks the account.
Troubleshooting Steps
1. Password Complexity Issues
- Ensure that the IAM password policy enforces the use of uppercase and lowercase letters, numbers, and special characters.
- Verify the password requirements and modify them if necessary.
2. Password Length Issues
- Validate that the minimum password length requirement is set to at least eight characters.
- Adjust the policy if the requirement is not met.
3. Password Expiration Issues
- Confirm that the password expiration period is set to a maximum of 90 days.
- Modify the policy settings if the expiration period exceeds the allowed limit.
4. Password History Issues
- Enable the password history feature.
- Check if the policy prevents users from reusing their last five passwords.
- Update the policy if necessary.
5. Account Lockout Issues
- Verify if the account lockout policy is configured to trigger after six failed attempts within a specified time frame.
- Ensure the lockout duration is set to a minimum of 30 minutes.
- Adjust the policy settings accordingly.
Necessary Codes (if applicable)
The following AWS CLI command can be used to update the password policy for IAM users:
aws iam update-account-password-policy --minimum-password-length 8 --require-symbols --require-numbers --require-uppercase-characters --require-lowercase-characters --max-password-age 90 --password-reuse-prevention 5 --hard-expiry
Step-by-Step Guide for Remediation
To configure the password policy for IAM users and meet the PCI v3 requirements, follow the step-by-step guide below:
- 1.
Log in to the AWS Management Console.
- 2.
Open the IAM console.
- 3.
In the navigation pane, choose "Account settings."
- 4.
Under the "Password policy" section, select the "Edit" button.
- 5.
Configure the following settings to meet the PCI v3 requirements:
- Set the "Minimum password length" to 8 or more characters.
- Enable the options for "Require at least one lowercase character," "Require at least one uppercase character," "Require at least one number," and "Require at least one non-alphanumeric character."
- Set the "Max password age" to 90 days or less.
- Set the "Password reuse prevention" to 5 or more previous passwords.
- Enable the "Hard expiry" option.
- 6.
Select the "Apply password policy" button to save the changes.
- 7.
Test the new password policy by creating a sample IAM user and ensuring that the password complexity, length, expiration, history, and account lockout features are correctly enforced.
By implementing and maintaining these password policies for IAM users, organizations can ensure compliance with the PCI v3 standard and enhance the overall security of their systems and customer data.