IAM password policies should expire passwords within 90 days¶
Description¶
IAM password policies can require passwords to be rotated or expired after a given number of days. Reducing the password lifetime increases account resiliency against brute force login attempts.
Remediation Steps¶
AWS Console¶
Navigate to IAM.
In the left navigation, select Account settings.
Check the Enable password expiration checkbox.
In the Password expiration period (days) field, enter 90 days or less.
Click the Apply password policy button.
AWS CLI¶
Set IAM password policy to expire passwords in 90 days.
This operation does not support partial updates. No parameters are required, but if you do not specify a parameter, that parameter’s value reverts to its default value.
aws iam update-account-password-policy <other password options> --max-password-age 90
Terraform¶
Ensure that the aws_iam_account_password_policy
max_password_age
field is set to “90” or less.
Example Configuration¶
resource "aws_iam_account_password_policy" "example" {
max_password_age = 30
# other required fields here
}