AWS IAM
      Back to home
      1. CNS Policies
      2. AWS Knowledge Base
      3. AWS IAM

      Insecure Password Expiration

      This plugin guarantees a password policy for the expiry of a password.

      Risk Level: Medium

      Description: 

      This plugin guarantees a password policy for the expiry of a password. A good password policy ensures minimum duration, expiry, reuse, and use of symbols.

      PingSafe strongly recommends enabling password expiration for the account.

      Configuration Parameters

      Password Expiration Time Threshold: The organization can define the maximum number of days the access keys can remain unused depending on their service needs. Once the set time period is attained, an issue is generated. By default, the value of the Password Expiration Time Threshold is 180 days.

      About the Service :

      AWS ID and Access Management (IAM) allows you to securely manage access to AWS services and resources. With IAM, AWS users and groups can be established and managed and permissions used to enable access by AWS resources and prohibit them.

      We can discover and adjust the rules so that only the services are accessible. We can thus adhere better to the less privileged principle.

      Impact : 

      Monitoring  IAM user login age can assist to prevent expiring passwords for fewer logins and improving the efficiency of user-based access to accounts.

      Steps to reproduce :

      1. Login to AWS Management Console.
        https://console.aws.amazon.com/ 
      2. Navigate to the IAM dashboard.
        https://console.aws.amazon.com/iam 
      3. Select Account Settings under Access Management.
      4. This page displays a section named Password policy which shows the password policy of the account.
      5. This page clearly reflects that the password policy does not include the password expiration period making it a weak password policy.
      6. This presses the need to set the appropriate password policy of the account to keep the security in check. 
      7. Repeat steps for other accounts as well.

      Steps for remediation :

      1. Login to AWS Management Console.
        https://console.aws.amazon.com/ 
      2. Navigate to the IAM dashboard.
        https://console.aws.amazon.com/iam 
      3. Select Account Settings under Access Management.
      4. This page displays a section named Password policy which shows the password policy of the account.
      5. This page clearly reflects that the password policy does not include the password expiration period making it a weak password policy.
      6. This presses the need to set the appropriate password policy of the account to keep the security in check.
      7. Select the Change password policy button. In the Set Password Policy tab that appears check Enable password expiration and then enter 90 days in the box that appears. Finally, click on Save changes.
      8. Repeat steps for other accounts with the same problem as well.




      References: