IAM Password Policies Rule

This rule focuses on strong configurations for IAM password policies for users.

Rule	IAM password policies for users should have strong configurations
Framework	RBI Cyber Security Framework
Severity	✔ Low

IAM Password Policy for Strong Configuration

Description:

The IAM (Identity and Access Management) password policies for users should have strong configurations in order to adhere to the RBI (Reserve Bank of India) Cyber Security Framework. These strong password configurations ensure the security and integrity of user accounts, preventing unauthorized access and minimizing the risk of data breaches.

Policy Details:

1.
Password Length: The minimum required password length should be 8 characters or more, ensuring that passwords are sufficiently complex.

2.
Complexity: Passwords should contain a combination of uppercase and lowercase letters, numbers, and special characters to enhance its complexity.

3.
Expiry Period: Passwords should have a defined expiry period, enforcing users to change their passwords regularly. The recommended expiry period is 30-90 days.

4.
Password History: Users should not be allowed to reuse their previously used passwords within a specific time frame (e.g., the last six passwords).

5.
Account Lockout: Enforce an account lockout policy that temporarily locks the user account after a certain number of failed login attempts. This helps prevent brute force attacks.

6.
MFA (Multi-Factor Authentication): Enable MFA for user accounts to provide an additional layer of security by requiring users to verify their identity through a second authentication method.

7.
Password Recovery: Implement a secure password recovery mechanism that ensures user identity verification before allowing password reset or recovery.

Troubleshooting Steps (If applicable):

There may be situations where users face issues or encounter errors related to password policies. Here are some troubleshooting steps:

1.
User unable to set a new password: In such cases, ensure that the new password meets the minimum requirements mentioned in the policy, such as length and complexity criteria.

2.
Account locked after login attempts: Inform the user about the account lockout policy and ask them to wait for the specified lockout duration or contact the system administrator for assistance.

3.
Password reset/recovery failure: Verify the user's identity through the configured password recovery mechanism and assist them in resetting or recovering their password.

Necessary Codes/Configuration (If applicable):

Configuration settings can be applied through the IAM console or by using AWS CLI (Command Line Interface) commands. The following example demonstrates the configuration of the IAM password policy using the AWS CLI:

aws iam update-account-password-policy --minimum-password-length 8 --require-uppercase-characters --require-lowercase-characters --require-symbols --require-numbers --max-password-age 90 --password-reuse-prevention 6 --allow-users-to-change-password --hard-expiry

Please note that you need to have the AWS CLI installed and configured with appropriate access credentials to execute this command.

Step-by-Step Guide for Remediation:

1.
Access the IAM console or open a command line interface with the necessary AWS CLI authentication.

2.
Identify the existing password policy by navigating to the "Account Settings" or using the command
```
aws iam get-account-password-policy
```
.

3.
Review the policy details and assess if it meets the RBI Cyber Security Framework requirements.

If changes are required, execute the necessary command to update the policy. For example, you can use

aws iam update-account-password-policy --minimum-password-length 8 --require-uppercase-characters --require-lowercase-characters --require-symbols --require-numbers --max-password-age 90 --password-reuse-prevention 6 --allow-users-to-change-password --hard-expiry

5.
Validate the updated policy by checking the policy details or using the command
```
aws iam get-account-password-policy
```
.

6.
Communicate the changes to all IAM users, emphasizing the new password requirements and any password reset procedures.

7.
Monitor IAM password policy compliance and perform periodic audits to ensure continued adherence to the RBI Cyber Security Framework.

By following these steps, you can ensure that the IAM password policy is aligned with the strong configurations required by the RBI Cyber Security Framework, providing enhanced security for user accounts and minimizing the risk of unauthorized access.

IAM Password Policies Rule

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Description:

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Policy Details:

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Troubleshooting Steps (If applicable):

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Necessary Codes/Configuration (If applicable):

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Step-by-Step Guide for Remediation:

Is your System Free of Underlying Vulnerabilities? Find Out Now

Description:

Policy Details:

Troubleshooting Steps (If applicable):

Necessary Codes/Configuration (If applicable):

Step-by-Step Guide for Remediation:

Is your System Free of Underlying Vulnerabilities?
Find Out Now