AWS account password policies should allow users to change their own passwords.
AWS Identity and Access Management (IAM) Users represent individuals who log in to AWS either through the console using a username and password, or via IAM User Access Keys for use with the AWS CLI and SDKs. Console access, designed for human users, relies on usernames and passwords, which is the standard login method for various web applications.
As part of password management the password policy can be configured to allow IAM Users to reset their own passwords without requiring an administrator or elevated role to perform this task. While this may initially seem a security enhancement, this approach requires an alternative process to handle requests and communications involved with password resets. Often these alternative processes are slower and introduce complications that are not part of the self-service process.
From a security perspective, self-service allows users to provide the fastest route to changing a compromised password. As self-service availability does not exclude security teams from manually resetting passwords, denying self-service only limits the ability for security conscious individuals to prevent compromise.
Self-service password management is a common feature in many IAM systems, offering a fast, efficient and logged solution without the need for organisations to implement alongside their own processes. As self-service via password resets are available on AWS we recommend enabling them to ensure that users are able to respond quickly and securely to any hints of compromise.
We usually recommend that IAM Users are enabled to reset their passwords as part of the AWS account-wide Password Policy. This policy can be updated at any time and there is comprehensive documentation available for guidance. When the policy is updated, this setting will take immediate effect and will not require any additional actions.
Additionally, our general password policy is detailed in our guidance article summarising our enterprise standard password policy.
SkySiege Cloud Security Assessments scan for this issue and provide same-day reports..
Available for individual projects or organisations.
