This rule ensures IAM password policy requires a minimum length of 14 or greater.
Rule | Ensure IAM password policy requires minimum length of 14 or greater |
Framework | cis_v130 |
Severity | ✔ Medium |
Ensure IAM Password Policy Requires Minimum Length of 14 or Greater (CIS v1.3.0)
Description of the Rule
The IAM password policy is critical for safeguarding accounts within AWS. A robust password policy enforces password complexity requirements, thus reducing the risk of unauthorized access. The Center for Internet Security (CIS) AWS Foundations Benchmark v1.3.0 recommends that the minimum password length for IAM users should be at least 14 characters. This recommendation is designed to enhance security by making passwords more difficult for attackers to guess or brute force.
Troubleshooting Steps
1. Check IAM Password Policy Configuration
If you suspect that your IAM password policy does not comply with the CIS v1.3.0 recommendations:
2. Verify Password Length
Confirm the minimum password length is set to 14 or greater.
If the minimum password length is less than 14 characters, continue to the Remediation section.
CLI Commands and Codes
To check the current password policy using AWS CLI:
aws iam get-account-password-policy
This command will return the password policy in effect. If the output does not include
"MinimumPasswordLength": 14
(or greater), the policy needs to be updated.Step by Step Guide for Remediation
Update IAM Password Policy using AWS Management Console:
Update IAM Password Policy using AWS CLI:
aws iam update-account-password-policy --minimum-password-length 14
aws iam get-account-password-policy
Ensure you receive confirmation that the new settings are now in effect.
Compliance Through Automation
To ensure that the IAM password policy remains compliant, utilize AWS Config rules or infrastructure as code (IaC) solutions like AWS CloudFormation, Terraform, or Ansible to automate policy enforcement.
For example, an AWS Config rule to check for the compliant password policy:
Resources:
PasswordPolicy:
Type: "AWS::Config::ConfigRule"
Properties:
ConfigRuleName: "password-policy-min-length"
Description: "Ensure password policy requires minimum length of 14 or greater."
Scope:
ComplianceResourceTypes:
- "AWS::IAM::AccountPasswordPolicy"
Source:
Owner: "AWS"
SourceIdentifier: "IAM_PASSWORD_POLICY"
InputParameters:
minLength: "14"
Integrate these into your CI/CD pipeline to maintain ongoing compliance.
By implementing the outlined checks and updates, you will help fortify your AWS environment in alignment with CIS benchmarks. Proper configuration management and automation are key components in maintaining a secure and compliant infrastructure.