A-IAM-2

IAM Users Password Policy Allows 8-15 Characters with Limited Characters

Risk:
Moderate
CWE:
521

AWS IAM user passwords should include all variations of characters if the password is less than 15 characters.


Details

AWS IAM Users are provisioned with username and passwords used for access to the AWS Web Console. To ensure that all IAM Users utilise a secure login, AWS Accounts include a password policy that sets the standards and management configuration for IAM User passwords.

According to the NIST guidelines, passwords should be a minimum of 8 characters long but should ideally be 15 characters or more. The NIST standards also state that passwords should not impose composition rules for passwords allowing users to provide whatever password they choose.

While this is an understandable position we believe that passwords under 15 characters in length that do not utilise a range of different characters hold too much risk to brute force attacks considering the current password sets leaked into the wild.

If allowing passwords to be under 15 characters in length then it should be considered that passwords utilise a full range of characters to ensure that passwords introduce enough entropy to avoid rapid compromise to brute force attacks.

Remediation

Ideally AWS passwords should require that users provide a password of 15 characters or more to encourage the use of pass phrases rather than singular words. Doing so relieves some of the pressure required to utilise a wider character set.

Our general password policy is detailed in our guidance article summarising our enterprise standard password policy.

Discover if you're vulnerable

SkySiege Cloud Security Assessments scan for this issue and provide same-day reports..
Available for individual projects or organisations.

Related Tests