IAM user passwords should not expire.
AWS IAM Users serve as identities for individuals accessing the AWS console using a username and password or accessing the AWS APIs using IAM User Access Keys. As IAM User access to the AWS Console is done via username and password authorisation, AWS Accounts include a password policy the security and configuration management of IAM User passwords.
Historically, the practise of expiring passwords every 90 days, 180 days, or annually was seen as a reliable security measure. This requirement compelled users to rotate their passwords regularly, thus limiting the validity of lost passwords. However, over time, this system has conflicted with human behaviour and has become less effective as user behaviour in response to time based password expiration incentivises the generation of passwords which tie back to times and dates or passwords which can be incremented via adding a repeating character or incrementing a digit.
For example, passwords that incorporate predictable patterns, such as appending a year or a quarter - eg, Password2023 or PasswordQ1 - appear in databases that feature mandatory password rotation. These variations become easy targets for attackers, who can guess or infer the next password based on past behaviour undermining the intent behind the policy.
We don’t recommend expiring passwords on a chronological basis as this results in repeatable patterns and user behaviour being incentivised towards compliance maximisation rather than security maximisation. Therefore, we don’t recommend AWS Account password policies enabling password expiration, instead expiring passwords as an active response rather than as a routine process.
Our general password policy is detailed in our guidance article summarising our enterprise standard password policy.
SkySiege Cloud Security Assessments scan for this issue and provide same-day reports..
Available for individual projects or organisations.
