turbot/aws_compliance

Query: iam_account_password_policy_strong_min_reuse_24

Usage

powerpipe query aws_compliance.query.iam_account_password_policy_strong_min_reuse_24

SQL

select
'arn:' || a.partition || ':::' || a.account_id as resource,
case
when
minimum_password_length >= 14
and password_reuse_prevention >= 24
and require_lowercase_characters = 'true'
and require_uppercase_characters = 'true'
and require_numbers = 'true'
and require_symbols = 'true'
and max_password_age <= 90
then 'ok'
else 'alarm'
end as status,
case
when minimum_password_length is null then 'No password policy set.'
when
minimum_password_length >= 14
and password_reuse_prevention >= 24
and require_lowercase_characters = 'true'
and require_uppercase_characters = 'true'
and require_numbers = 'true'
and require_symbols = 'true'
and max_password_age <= 90
then 'Strong password policies configured.'
else 'Password policy ' ||
concat_ws(', ',
case when minimum_password_length < 14 then ('minimum password length set to ' || minimum_password_length) end,
case when password_reuse_prevention < 24 then ('password reuse prevention set to ' || password_reuse_prevention) end,
case when not (require_lowercase_characters = 'true') then 'lowercase characters not required' end,
case when not (require_uppercase_characters = 'true') then 'uppercase characters not required' end,
case when not (require_numbers) then 'numbers not required' end,
case when not (require_symbols) then 'symbols not required' end,
case when max_password_age > 90 then ('max password age set to ' || max_password_age) end
) || '.'
end as reason
, a.account_id
from
aws_account as a
left join aws_iam_account_password_policy as pol on a.account_id = pol.account_id;

Controls

The query is being used by the following controls: