Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Password Policies Rule for IAM Users

This rule enforces strong password configurations for IAM users.

RulePassword policies for IAM users should have strong configurations
FrameworkCISA-cyber-essentials
Severity
Critical

Strong Password Policies for IAM Users based on CISA's Cyber Essentials

Implementing strong password policies for Identity Access Management (IAM) users is critical to secure access to an organization's resources. CISA's Cyber Essentials provide guidelines for cybersecurity best practices. In the context of IAM, they recommend enforcing robust password policies.

Detailed Description of Strong Password Policy Rule

A strong password policy should enhance the security of the user accounts within your IAM system. This typically includes:

  • Password Length: Specify the minimum number of characters. CISA recommends at least 12 characters.
  • Complexity Requirements: Mandate a mix of uppercase letters, lowercase letters, numbers, and special characters.
  • Password Lifespan: Set an expiration period after which the user must change their password.
  • History Constraints: Prevent the reuse of old passwords for a specified number of generations to discourage password cycling.
  • Account Lockout: Temporarily lock an account after a number of incorrect login attempts to protect against brute force attacks.
  • Password Storage: Store passwords securely using methods like hashing and encryption to protect against theft.

Troubleshooting Steps

If the policy is not working as expected, follow these steps:

  1. 1.
    Verify the password policy has been applied to the IAM system correctly.
  2. 2.
    Check for any service-specific exceptions or overrides.
  3. 3.
    Make sure the users are aware of the policy changes to comply during their next password change.

Necessary Codes

Here's an example of implementing a password policy using AWS CLI for IAM users:

aws iam update-account-password-policy \
    --minimum-password-length 12 \
    --require-symbols \
    --require-numbers \
    --require-uppercase-characters \
    --require-lowercase-characters \
    --allow-users-to-change-password \
    --max-password-age 90 \
    --password-reuse-prevention 24 \
    --hard-expiry

This command updates the account password policy, setting the requirements and restrictions as per the CISA guidelines.

Step by Step Guide for Remediation

To enforce a strong password policy in your IAM system, perform the following steps:

  1. 1.
    Identify existing password policies using IAM system tools or command-line utilities.
  2. 2.
    Modify or create a new policy following the CISA standards.
  3. 3.
    Communicate the changes to all IAM users and enforce the new policy.
  4. 4.
    Monitor and review the policy effectiveness regularly.
  5. 5.
    Update the policy in response to any new threats or as recommended by cybersecurity best practices.

Is your System Free of Underlying Vulnerabilities?
Find Out Now