AWS Account Password Policy should not require hard password resets, where passwords are reset only by an administrator.
AWS Identity and Access Management (IAM) Users represent individuals who log in to AWS either through the console using a username and password, or via IAM User Access Keys for use with the AWS CLI and SDKs. Console access, designed for human users, relies on usernames and passwords, which is the standard login method for various web applications.
One significant feature of the AWS Passwor Policy is the ability to enforce hard password expirations. This functionality places a restriction on expired passwords where only an administrator can issue a new password to the user. This practice creates a security issue, as it necessitates a secondary communication method for administrators to facilitate IAM Users with replacing their passwords. Such communication can increase the risk of a security breach, as users have to rely on additional communication paths to exchange information without replacing the original password reset process.
Relying on a hard password reset process can lead to operational challenges, as users must go through a cumbersome process to obtain a new password. This poses an operational risk during mass password reset events, impacting user productivity and efficiency. Our experience with various identity and access management systems - both within and outside of AWS - has shown that implementing self-service password reset capabilities is a more effective solution allowing for a distribution of work and minimising additional communication routes and processes.
Avoid using hard password resets. If turning them off then be aware that users will still need to choose a new password on next log in.
Additionally, our general password policy is detailed in our guidance article summarising our enterprise standard password policy.
SkySiege Cloud Security Assessments scan for this issue and provide same-day reports..
Available for individual projects or organisations.
