IAM password policies should prevent reuse of the four previously used passwords

Description

IAM password policies should prevent users from reusing any of their previous 4 passwords. Preventing password reuse increases account resiliency against brute force login attempts.

Remediation Steps

AWS Console

• Navigate to Identity and Access Management.

• In the left navigation, select Account Settings.

• Check Prevent password reuse.

• In Number of passwords to remember, enter 4.

• Click Apply password policy.

AWS CLI

• Set number of passwords to remember to 4.

• This operation does not support partial updates. No parameters are required, but if you do not specify a parameter, that parameter’s value reverts to its default value.

  • aws iam update-account-password-policy <other password options> --password-reuse-prevention 4

Terraform

• Ensure that the aws_iam_account_password_policy has a password_reuse_prevention field set to “4”.

Example Configuration

resource "aws_iam_account_password_policy" "example" {
  password_reuse_prevention = 4
  # other required fields here
}

Documentation Links

AWS Console and CLI

• Console: Setting a Password Policy

• CLI: Setting a Password Policy

Terraform

• Resource: aws_iam_account_password_policy

  • Field: password_reuse_prevention