AWS IAM
      Back to home
      1. Knowledge Base
      2. AWS Knowledge Base
      3. AWS IAM

      Password Policy Missing 'Require Numbers'

      This plugin ensures that the password policy needs numbers to be used.

      Risk Level: Medium

      Description: 

      This plugin ensures that the password policy needs numbers to be used. A strong password policy requires minimum duration, expiry time, reuse, and use of symbols.

      PingSafe strongly recommends updating the password policy to require the use of numbers.

      About the Service :

      AWS ID and Access Management (IAM) allows you to securely manage access to AWS services and resources. With IAM, AWS users and groups can be established and managed and permissions used to enable access by AWS resources and prohibit them.

      We can discover and adjust the rules so that only the services are accessible. We can thus adhere better to the less privileged principle.

      Impact : 

      The enforcement of the AWS IAM password's strength, pattern, and rotation are critical when it comes to keeping your AWS account safe and secure.

      The absence of a strong password policy will increase the risk of password guessing and brute-forcing.

      Steps to reproduce :

      1. Login to AWS Management Console.
        https://console.aws.amazon.com/ 
      2. Navigate to the IAM dashboard.
        https://console.aws.amazon.com/iam 
      3. Select Account Settings under Access Management.
      4. This page displays a section named Password policy which shows the password policy of the account.
      5. The password should have at least one number which is not the case specified clearly in this password policy. This clearly states that the password policy is weak.
      6. Repeat steps for other accounts as well.

      Steps for remediation :

      1. Login to AWS Management Console.
        https://console.aws.amazon.com/ 
      2. Navigate to the IAM dashboard.
        https://console.aws.amazon.com/iam
      3. Select Account Settings under Access Management.
      4. This page displays a section named Password policy which shows the password policy of the account.
      5. The password should have at least one number which is not the case specified clearly in this password policy. This clearly states that the password policy is weak.
      6. Select the Change password policy button. In the Set Password Policy tab that appears check the Require at least one number and then click on Save changes.
      7. Repeat steps for other accounts with the same problem as well.

      References: