IAM password policies should prevent reuse of previously used passwords

Description

IAM password policies can prevent the reuse of a given password by the same user. Preventing password reuse increases account resiliency against brute force login attempts.

Remediation Steps

AWS Console

  • Navigate to IAM Account Settings.

  • Select Change password policy.

  • Check the Prevent password reuse checkbox.

  • In the Remember password(s) field, enter 24.

  • Click the Save changes button.

AWS CLI

  • Set number of passwords to remember to the highest possible value.

  • This operation does not support partial updates. No parameters are required, but if you do not specify a parameter, that parameter’s value reverts to its default value.

    • aws iam update-account-password-policy <other password options> --password-reuse-prevention 24

Terraform

Example Configuration

resource "aws_iam_account_password_policy" "example" {
  password_reuse_prevention = 24
  # other required fields here
}