Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Ensure IAM password policy minimum length rule

This rule ensures IAM password policy requires a minimum length of 14 or greater.

RuleEnsure IAM password policy requires minimum length of 14 or greater
Frameworkcis_v130
Severity
Medium

Ensure IAM Password Policy Requires Minimum Length of 14 or Greater (CIS v1.3.0)

Description of the Rule

The IAM password policy is critical for safeguarding accounts within AWS. A robust password policy enforces password complexity requirements, thus reducing the risk of unauthorized access. The Center for Internet Security (CIS) AWS Foundations Benchmark v1.3.0 recommends that the minimum password length for IAM users should be at least 14 characters. This recommendation is designed to enhance security by making passwords more difficult for attackers to guess or brute force.

Troubleshooting Steps

1. Check IAM Password Policy Configuration

If you suspect that your IAM password policy does not comply with the CIS v1.3.0 recommendations:

  • Log into the AWS Management Console.
  • Navigate to the IAM dashboard.
  • Go to Account settings to review the current password policy.

2. Verify Password Length

Confirm the minimum password length is set to 14 or greater.

If the minimum password length is less than 14 characters, continue to the Remediation section.

CLI Commands and Codes

To check the current password policy using AWS CLI:

aws iam get-account-password-policy

This command will return the password policy in effect. If the output does not include

"MinimumPasswordLength": 14
(or greater), the policy needs to be updated.

Step by Step Guide for Remediation

Update IAM Password Policy using AWS Management Console:

  1. 1.
    Log into the AWS Management Console.
  2. 2.
    Navigate to the IAM dashboard.
  3. 3.
    Open Account settings.
  4. 4.
    Under Password Policy, click on "Change Password Policy."
  5. 5.
    Adjust the "Minimum password length" to at least 14 characters.
  6. 6.
    Click on "Save changes" to apply the new policy.

Update IAM Password Policy using AWS CLI:

  1. 1.
    Open your command-line interface (CLI).
  2. 2.
    Execute the following command to set the minimum password length:
aws iam update-account-password-policy --minimum-password-length 14
  1. 1.
    Verify the policy has been updated:
aws iam get-account-password-policy

Ensure you receive confirmation that the new settings are now in effect.

Compliance Through Automation

To ensure that the IAM password policy remains compliant, utilize AWS Config rules or infrastructure as code (IaC) solutions like AWS CloudFormation, Terraform, or Ansible to automate policy enforcement.

For example, an AWS Config rule to check for the compliant password policy:

Resources:
  PasswordPolicy:
    Type: "AWS::Config::ConfigRule"
    Properties: 
      ConfigRuleName: "password-policy-min-length"
      Description: "Ensure password policy requires minimum length of 14 or greater."
      Scope:
        ComplianceResourceTypes:
          - "AWS::IAM::AccountPasswordPolicy"
      Source:
        Owner: "AWS"
        SourceIdentifier: "IAM_PASSWORD_POLICY"
      InputParameters:
        minLength: "14"

Integrate these into your CI/CD pipeline to maintain ongoing compliance.

By implementing the outlined checks and updates, you will help fortify your AWS environment in alignment with CIS benchmarks. Proper configuration management and automation are key components in maintaining a secure and compliant infrastructure.

Is your System Free of Underlying Vulnerabilities?
Find Out Now