Is your AWS IAM Password Policy set up and enforced?

AWS IAM Password Policy

Cloud security is one of the major concerns of users nowadays due to the increasing number of security threats. Organizations want to make sure that their cloud infrastructure is secure enough as they are depended on cloud resources and services for their day to day operations. AWS IAM password policy ensures secure access of users into their AWS account.

What is IAM?

IAM is a web service that enables a user to control access to its AWS resources in a secure manner. When a user creates an AWS account for the first time, it proceeds with a single sign-in process. In that case, the user can access all the resources and services of AWS. This user identity is called AWS account root user. The user gets access by signing in with the email address and password which was used to create the account. IAM provides user with a lot of facilities such as shared access to AWS account, granular permission (different permissions for different users), MFA etc.

Why AWS IAM password policy should be enforced?

AWS allows users to set their own password policy on their account for their IAM users. Password policy means that user can set some conditions or restrictions while any IAM user is setting a password to acquire access to their account. Setting a minimum password length, requiring specific character types such as including uppercase, lowercase characters, numbers etc. are some types of requirements that can be enforced. User’s password should satisfy all conditions imposed in the password policy otherwise they would not be able to set their password. Policy can also include a mandatory time period after which user has to change their password otherwise they would not be able to login into their AWS account using their old password.

AWS IAM Password policy specifies the complexity requirement of the password. Enforcing a password policy is essential when it comes to maintaining the security of your cloud infrastructure. Having a strong password policy significantly reduces the risk of security threats such as password guessing etc.

How does Centilytics come into play?

Centilytics provides a dedicated insight on AWS IAM password policy and lists down all AWS accounts with misconfigured or no password policy. This allows users to take note of all such accounts so that necessary remediation steps can be taken from the AWS console.

Insight Description

There can be 3 possible scenarios-

Severity Description
WARNING This indication is displayed when there is a password policy enabled but that policy is empty i.e. it does not have even a single requirement.

 

CRITICAL This indication is displayed when no password policy is enabled for the corresponding account.

 

Description of further columns are as follows:

  1. Account Id: This column shows the respective account ID of the user’s account.IAM Password policy-SS1
  2. Account Name: This column shows the corresponding account name to the user’s account.AWS IAM Password policy-ss2
  3. Description: This column shows the description or the imposed requirements of the password policy.AWS IAM Password policy-ss45

 

Filters applicable:

Filter Name Description
Account Id Applying the account Id filter will display data for the selected account Id.
Compliance Applying compliance filter will display only those security checks which fall under the selected compliance.
Severity Applying severity filter will display resources according to the selected severity type i.e. selecting critical will display all resources with critical severity. Same will be the case for warning and ok severity types.
Resource Tags Applying resource tags filter will display data which will have the selected resource tag. For e.g.- If the user has tagged any resource using a tag named environment, then selecting an environment from the resource tags filter will display all the data accordingly.
Resource Tags Value Applying resource tags value filter will display data which will have the selected resource tag value. For e.g.- If the user has tagged some resource by a tag named environment and has given it a value say production (environment:production), then the user will be able to view data of all the resources which are tagged as “environment:production”. User can use the tag value filter only when a tag name has been provided.

 

Compliances covered:

Compliance Name Reference No. Link
PCI 8.2,8.2.1,8.2.5 https://docs.aws.amazon.com/quickstart/
latest/compliance-pci/welcome.html
HIPAA 164.312(d) https://aws.amazon.com/quickstart/architecture/
compliance-hipaa/
ISO 27001 A.9.4.3, A.9.2.4, A.9.4.2 https://www.iso.org/standard/54534.html
NIST 800-53 IA-5,IA-2 https://docs.aws.amazon.com/quickstart/latest/
compliance-nist/welcome.html
GDPR Article 25 https://gdpr-info.eu/
CIS 1.1.0 https://d0.awsstatic.com/whitepapers/compliance/
AWS_CIS_Foundations_Benchmark.pdf
Trusted Advisor https://console.aws.amazon.com/trustedadvisor/home?#/category/security

 

Read More:

[1] https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html

[2] https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html

LEAVE A REPLY

Please enter your comment!
Please enter your name here