A-IAM-5

IAM Users Password Policy Not Set

  1. SkySiege Cloud Security Assessments
  2. Assessment Documentation
  3. IAM Users Password Policy Not Set
Risk:
Moderate
CWE:
521

AWS accounts should have a custom password policy rather than relying on the default password policy.

Details

AWS Identity and Access Management (IAM) Users represent individuals who log in to AWS either through the console using a username and password, or via IAM User Access Keys for use with the AWS CLI and SDKs. Console access, designed for human users, relies on usernames and passwords, which is the standard login method for various web applications.

The management of console access, including password standards and management, is governed by an account-wide password policy. This policy defines the requirements that passwords must meet to ensure security and operational controls, such as minimum password length, password expiration and required password characters.

AWS provides a default password policy that is generally adequate but does not meet the ideal standards set by the National Institute of Standards and Technology (NIST) Special Publication 800-63B. Additionally, our opinion is that the default password policy does not reflect the data sensitivity and cost implications of large organisations. As such, we recommend that organisations tailor and manage their won password policy to comply with their specific requirements, which may be influenced by data sensitivity, insurance mandates, or other operational considerations.

Additionally, relying on AWS’s default password policy outsources your control over policy updates. When AWS modifies their default policy, you may not have the ability to implement those changes on your terms. A custom password policy allows organisations to define their own standards, control the timing of policy updates and enforce regular password resets for all users to align with their security requirements.

While the default password policy may suffice in some scenarios, most organisations benefit from managing their password policies directly. It’s better to do this sooner rather than later.

Remediations

Managing your password policy is straightforward although can be challenging at scale. We include as part of our automated Cloud Assessments scans for AWS Accounts without password policies as well as policies that can be improved.

Additionally, our general password policy is detailed in our guidance article summarising our enterprise standard password policy.

Discover if you're vulnerable

SkySiege Cloud Security Assessments scan for this issue and provide same-day reports..
Available for individual projects or organisations.

For Projects
For Organisations

Related Tests

Account Root User Has Access Keys Issued

SkySiege Documentation for Cloud Assessment test A-IAM-18, Account Root User Has Access Keys Issued

Critical iam aws

AWS Root User Does Not Have MFA

SkySiege Documentation for Cloud Assessment test A-IAM-16, AWS Root User Does Not Have MFA

Critical iam aws

Account Root User Has Signing Certificates

SkySiege Documentation for Cloud Assessment test A-IAM-19, Account Root User Has Signing Certificates

High iam aws

IAM User Without MFA

SkySiege Documentation for Cloud Assessment test A-IAM-17, IAM User Without MFA

High iam aws

IAM Users Password Policy Forces a Hard Password Expiry

SkySiege Documentation for Cloud Assessment test A-IAM-8, IAM Users Password Policy Forces a Hard Password Expiry

High iam aws

IAM Users Password Policy Remembers Less Than 3 Previous Passwords

SkySiege Documentation for Cloud Assessment test A-IAM-7, IAM Users Password Policy Remembers Less Than 3 Previous Passwords

High iam aws

IAM Users Password Policy Requires at Least 8 Characters

SkySiege Documentation for Cloud Assessment test A-IAM-1, IAM Users Password Policy Requires at Least 8 Characters

High iam aws

IAM User Access Keys Unused

SkySiege Documentation for Cloud Assessment test A-IAM-10, IAM User Access Keys Unused

Moderate iam aws

IAM User Has Inactive Access Keys

SkySiege Documentation for Cloud Assessment test A-IAM-11, IAM User Has Inactive Access Keys

Moderate iam aws

IAM Users Password Policy Allows 8-15 Characters with Limited Characters

SkySiege Documentation for Cloud Assessment test A-IAM-2, IAM Users Password Policy Allows 8-15 Characters with Limited Characters

Moderate iam aws

IAM Users Password Policy Does Not Allow Users to Change Passwords

SkySiege Documentation for Cloud Assessment test A-IAM-6, IAM Users Password Policy Does Not Allow Users to Change Passwords

Moderate iam aws

IAM Users Password Policy Expires Passwords

SkySiege Documentation for Cloud Assessment test A-IAM-4, IAM Users Password Policy Expires Passwords

Moderate iam aws

AWS Account Approaching Access Key Limit

SkySiege Documentation for Cloud Assessment test A-IAM-15, AWS Account Approaching Access Key Limit

Low iam aws

IAM User has Multiple Access Keys

SkySiege Documentation for Cloud Assessment test A-IAM-13, IAM User has Multiple Access Keys

Low iam aws

IAM User Inactive

SkySiege Documentation for Cloud Assessment test A-IAM-9, IAM User Inactive

Low iam aws

IAM Users Password Policy Requires Special Characters

SkySiege Documentation for Cloud Assessment test A-IAM-3, IAM Users Password Policy Requires Special Characters

Advisory iam aws