AWS Account Password Policies should prevent users from utilizing previous passwords.
AWS Identity and Access Management (IAM) Users represent individuals who log in to AWS either through the console using a username and password, or via IAM User Access Keys for use with the AWS CLI and SDKs. Console access, designed for human users, relies on usernames and passwords, which is the standard login method for various web applications.
Each AWS account has a password policy that governs the management and security requirements for all passwords associated with users in that account. One feature of the password policy is the ability to remember a certain number of previous passwords used by each IAM User. This is crucial as it prevents users from reverting to a prior password after changing it, ensuring that users do not set a password that may already be known to unauthorised parties.
As we don’t recommend time based expiration of IAM User passwords, therefore in these environments each expired password has been replaced in response to a security event rather than as part of a routine expiration. With this in mind it is even more important to ensure that these passwords are not reused. We suggest remembering at least three previous passwords although the AWS Password Policy supports up to 20 previous passwords. We often set the remembered password limit to the maximum as without routine expiration there’s no reason to not utilise the full range of potentially compromised passwords.
The number of passwords remembered ties back to your password expiration policy as that has a large determination as to the rate of password expiration as well as the context for why those passwords are expired. In an environment that does not routinely expire passwords each password has been expired for a practical reason and therefore the maximum number of expired passwords should be remembered.
Our general password policy is detailed in our guidance article summarising our enterprise standard password policy.
SkySiege Cloud Security Assessments scan for this issue and provide same-day reports..
Available for individual projects or organisations.
