Ensure AWS IAM password policy does not allow password reuse

Error: AWS IAM password policy allows password reuse

Bridgecrew Policy ID: BC_AWS_IAM_10
Checkov Check ID: CKV_AWS_13
Severity: HIGH

AWS IAM password policy allows password reuse

Description

Password policies are used to enforce the creation and use of password complexity. Your IAM password policy must prevent reuse of passwords. Each password should be brand new to increase security, especially from a brute force attack.

Fix - Runtime

AWS Console

To change the password policy in the AWS Console you will need appropriate permissions to View Identity Access Management Account Settings.

To manually set the password policy with a minimum length, follow these steps:

  1. Log in to the AWS Management Console as an IAM user at https://console.aws.amazon.com/iam/.
  2. Navigate to IAM Services.
  3. On the Left Pane click Account Settings.
  4. Select Prevent password reuse.
  5. For Number of passwords to remember" enter 24**.
  6. Click Apply password policy.

CLI Command

To change the password policy, use the following command:

aws iam update-account-password-policy --password-reuse-prevention 24

Fix - Buildtime

Terraform

resource "aws_iam_account_password_policy" "strict" {
  minimum_password_length        = 8
  require_lowercase_characters   = true
  require_numbers                = true
  require_uppercase_characters   = true
  require_symbols                = true
  apassword_reuse_prevention  = 24
}