ANNOUCEMENT Announcing self-paced Karpenter Lab series - START NOW

Detected weak password policy

This rule checks and lists all AWS accounts with a weak password policy. nOps strongly recommends you consider configuring a strong password policy for all your AWS accounts. The policy should contain essential specifications like minimum character length, expiration, etc.

This rule can help you with the following:

  • AWS Well-Architected Framework Lens

The AWS account root user password and IAM user access keys are not covered by the IAM password policy. If a password expires, the IAM user can no longer sign in to the AWS Management Console but still use their access keys.

Default AWS Password Policy

If an administrator does not configure a custom password policy, IAM user passwords must adhere to the AWS default password policy. The default password policy enforces the following conditions:

minimum of 8 characters and a maximum of 128 characters

minimum of three of the following character types: uppercase, lowercase, numbers, and ‘! @ # $ % & * () + – = [] | ” symbols

Must not be the same as your AWS account name or email address.

nOps Recommended Password Policy

nOps recommends that you must configure a custom password policy for IAM users with the following conditions :

  • Minimum Password Length: Specify a minimum character length for the passwords (6 – 128)
  • Password strength: You can select any of the following specifications below to define the strength of your IAM user passwords:
    • Require at least one uppercase letter from the Latin alphabet (A–Z)
    • Require at least one lowercase letter from the Latin alphabet (a–z)
    • Require at least one number
    • Require at least one nonalphanumeric character ! @ # $ % ^ & * ( ) _ + - = [ ] { } | '
  • Enable password expiration: The user’s password expires after specific days (e.g., 90 days), and a user must set a new password to access AWS Management Console.
  • Password expiration requires administrator reset: Prevent IAM users from updating their passwords after the password expires.
  • Allow users to change their own password: You can allow all IAM users in your account to change their passwords via the IAM console.
  • Prevent password reuse: prevent IAM users from reusing a specified number of previous passwords.

Audit

To confirm the usage and strength of a password policy for your AWS accounts, perform the following:

1. Sign in to the AWS Management Console.

2. Access the IAM dashboard at https://console.aws.amazon.com/iam/.

3. Under the Access management section by the left, choose the Account Settings option.

4. Have a look in the Password Policy section.

a. If you see the following text, it means that your AWS account doesn’t have a custom policy enabled.

Password policy

This AWS account uses the following default password policy:

You are using AWS Default Password Policy and must change to a custom nOps recommended password policy.

b. On the other hand, if you see the following text, it means your AWS account is using a custom password policy.

Password policy

This AWS account uses the following custom password policy:

Next, we need to determine if the custom policy has the necessary conditions set or not:

1. Click on the Change button in the Password Policy section.

2. You will be presented with a screen like the one below:

Modify Password Policy

3. Review the options set for the password policy. If they don’t meet the following options, then your AWS account doesn’t have a nOps recommended strong password policy

a. One of the following options are checked:

  1. Require at least one uppercase letter from the Latin alphabet (A–Z)
  2. Require at least one lowercase letter from the Latin alphabet (a–z)
  3. Require at least one number
  4. Require at least one non-alphanumeric character ! @ # $ % ^ & * ( ) _ + - = [ ] { } | '

b. The following options must be selected and turned on.

Enforce minimum password strength must be >10 characters

  1. Enable Password expiration must be selected and set to 90 days
  2. Password expiration requires administrator reset
  3. Allow users to change their own password
  4. Prevent password reuse

1. Execute the get-account-password-policy command to retrieve the password policy for your AWS account:

aws iam get-account-password-policy

2. The output should return either of the following:

a. 404 (NoSuchEntity) error in case the AWS account uses no custom password policy.

An error occurred (NoSuchEntity) when calling the GetAccountPasswordPolicy operation: The Password Policy with domain name XXXXXXXXX cannot be found.

You are using AWS Default Password Policy and must change to a custom nOps recommended password policy.

b. or a Custom Password Policy like the sample below:

**Output**
{
    "PasswordPolicy": {
        "MinimumPasswordLength": 8,
        "RequireSymbols": false,
        "RequireNumbers": false,
        "RequireUppercaseCharacters": false,
        "RequireLowercaseCharacters": false,
        "AllowUsersToChangePassword": false,
        "ExpirePasswords": true,
        "MaxPasswordAge": 90,
        "PasswordReusePrevention": 1,
        "HardExpiry": false
    }
}

This means your AWS account is using a custom password policy.

Some of the options recommended by nOps are not set to true in your Password policy in the sample output above.

nOps strongly recommends that your custom password policy should look like the sample below:

{
    "PasswordPolicy": {
        "MinimumPasswordLength": 10,
        "RequireSymbols": true,
        "RequireNumbers": true,
        "RequireUppercaseCharacters": true,
        "RequireLowercaseCharacters": true,
        "AllowUsersToChangePassword": true,
        "ExpirePasswords": true,
        "MaxPasswordAge": 90,
        "PasswordReusePrevention": 1,
        "HardExpiry": false
    }
}

You must update your password policy to increase its’ strength.

Remediation / Resolution

Perform the following steps to set up a custom and strong password policy for your AWS account:

1. Sign in to the AWS Management Console.

2. Access the IAM dashboard at https://console.aws.amazon.com/iam/.

3. Under the Access management section by the left, choose the Account Settings option.

4. In the Password Policy section, perform the following :

a. If AWS Default Policy is enabled:

I. click the Change password policy button to enable a custom IAM password policy

password policy

Ensure the prescribed options are selected per nOps recommendations, as discussed in the previous section.

Set Password Policy

b. If a custom password policy is already enabled:

I. Click on Change

Change Password policy

Ensure the prescribed options are selected per nOps recommendations, as discussed in the previous section.

password policy and set rules

1. Execute the update-account-password-policy command to enable or modify a custom IAM password policy for your AWS account

aws iam update-account-password-policy

**Output**
None

This command enables a custom password policy for your AWS account
 
2. Execute the update-account-password-policy command again along with the listed options below to ensure nOps recommended settings are enabled:

aws iam update-account-password-policy \\
	--minimum-password-length 10 \\
	--require-uppercase-characters \\
	--require-lowercase-characters \\
	--require-numbers \\
  --require-symbols \\
  --max-password-age 90 \\
	--password-reuse-prevention 8

**Output**
None

Still Need Help?

Come see why we are the #1 cloud management platform and why companies like Uber, Dickey’s BBQ Pit and Norwegian Cruise Line trust nOps to manage their cloud.