Rule: Ensure IAM Password Policy Expires Passwords within 90 Days
This rule ensures that IAM password policy expires passwords within 90 days for enhanced security.
| Rule | Ensure IAM password policy expires passwords within 90 days or less |
| Framework | General Data Protection Regulation (GDPR) |
| Severity | ✔ High |
Rule Description
The IAM password policy should enforce password expiration within 90 days or less to comply with the General Data Protection Regulation (GDPR) requirements. This policy ensures that user passwords are regularly updated, reducing the risk of unauthorized access and protecting sensitive data.
Troubleshooting Steps
If users are not prompted to change their passwords within the specified time frame or if the password expiration is not enforced, the following troubleshooting steps can be performed:
- 1.
Verify IAM password policy settings: Check the current configuration of the IAM password policy to ensure that the maximum password age is set to 90 days or less.
- 2.
Confirm user settings: Ensure that the affected users have their passwords set to expire within the specified time frame. Check the user details and verify the password last set date.
- 3.
Test password expiration: Create a test user account and set the password to expire within a shorter duration, such as 10 days. Monitor the user account to see if the password is enforced to change within the specified time frame.
- 4.
Check for policy conflicts: Ensure that there are no conflicting policies or organizational rules that are overriding the IAM password policy. Review all applicable policies and settings to identify any conflicts.
- 5.
Review IAM password policy history: Check the IAM password policy change history for any recent updates or modifications. It is possible that a recent change might have affected the password expiration settings.
Necessary Codes
There are no specific codes associated with this rule. Password expiration is configured through the IAM password policy settings, which can be accessed and modified directly through the AWS Management Console or via AWS CLI commands.
Remediation Steps
To enforce password expiration within 90 days or less, follow the step-by-step guide below:
- 1.
Open the AWS Management Console and navigate to the IAM service.
- 2.
In the left navigation panel, click on "Account settings."
- 3.
Under the "Password Policy" section, click on "Edit."
- 4.
Set the "Maximum password age" value to 90 or a lower value, based on the desired expiration timeframe.
- 5.
Enable the "Require users to change their password after specified time" option.
- 6.
Optionally, configure additional password policy settings as per your organization's security requirements (e.g., minimum password length, complexity requirements).
- 7.
Click on "Apply password policy."
The IAM password policy will now enforce password expiration within the specified time frame. Users will be prompted to change their passwords when the expiration deadline is reached.
Note: It is important to communicate the new password policy requirements to all affected users and provide guidance on how to choose strong and secure passwords.
Conclusion
By configuring the IAM password policy to expire passwords within 90 days or less, you comply with the GDPR guidelines and ensure the regular rotation of passwords for enhanced security. Regularly reviewing and maintaining the IAM password policy settings will help in maintaining a secure AWS environment.