IAM password policies should expire passwords within 90 days

Description

IAM password policies can require passwords to be rotated or expired after a given number of days. Reducing the password lifetime increases account resiliency against brute force login attempts.

Remediation Steps

AWS Console

• Navigate to IAM.

• In the left navigation, select Account settings.

• Check the Enable password expiration checkbox.

• In the Password expiration period (days) field, enter 90 days or less.

• Click the Apply password policy button.

AWS CLI

• Set IAM password policy to expire passwords in 90 days.

• This operation does not support partial updates. No parameters are required, but if you do not specify a parameter, that parameter’s value reverts to its default value.

  • aws iam update-account-password-policy <other password options> --max-password-age 90

Terraform

• Ensure that the aws_iam_account_password_policy max_password_age field is set to “90” or less.

Example Configuration

resource "aws_iam_account_password_policy" "example" {
  max_password_age = 30
  # other required fields here
}

Documentation Links

AWS Console and CLI

• Console: Setting a Password Policy

• CLI: Setting a Password Policy

Terraform

• Resource: aws_iam_account_password_policy

  • Field: max_password_age