IAM User Password Rotation

Luna Ricci

Last Update 3 years ago

Severity

Critical

Description

IAM users should regularly rotate their passwords to prevent the potential compromise of credentials. IAM password policies can require passwords to be rotated or expired after a given number of days. It is recommended that the password policy expire passwords after 90 days or less.

Important: The password settings described here apply only to passwords assigned to IAM users and do not affect any access keys they might have. If a password expires, the user cannot sign in to the AWS Management Console. However, if the user has valid access keys, then the user can still run any AWS CLI or Tools for Windows PowerShell commands. Users can also call any API operations through an application that the user's permissions allow.

Rationale

Reducing the password lifetime increases account resiliency against brute force login attempts. Additionally, requiring regular password changes help in the following scenarios:

  • Passwords can be stolen or compromised sometimes without your knowledge. This can happen via a system compromise, software vulnerability, or internal threat.
  • Certain corporate and government web filters or proxy servers have the ability to intercept and record traffic even if it's encrypted
  • Many people use the same password for many systems such as work, email, and persona.
  • Compromised end-user workstations might have a keystroke logger.

Remediation

Establish a policy to rotate your passwords on a regular basis to prevent the possibility of compromised credentials.

To create or change a password policy (console)

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
  2. In the navigation pane, click Account Settings.
  3. In the Password Policy section, select Enable password expiration, and set the password expiration period to a number of days between 1 and 1095 inclusive (default is 90 days).
  4. Click Apply Password Policy.

Via CLI

Note: When you set a password expiration period, the expiration period is enforced immediately. For example, assume that you set a password expiration period of 90 days. In that case, all IAM users that currently have an existing password that is older than 90 days are required to change their password at next sign-in.
Note: The AWS Management Console warns IAM users when they are within 15 days of password expiration. IAM users can change their password at any time (as long as they have been given permission to do so). When they set a new password, the rotation period for that password starts over. An IAM user can have only one valid password at a time.

References


Want to know more about StackZone and how to make your cloud management simple and secure?

Check our how it works section with easy to follow videos or just create your own StackZone Account here.

Was this article helpful?

1 out of 1 liked this article

Still need help? Message Us