turbot/steampipe-mod-aws-compliance

Control: 7 Password policies for IAM users should have strong configurations

Description

To access the AWS Management Console, IAM users need passwords. As a best practice, Security Hub highly recommends that instead of creating IAM users, you use federation. Federation allows users to use their existing corporate credentials to log into the AWS Management Console. Use AWS Single Sign-On (AWS SSO) to create or federate the user, and then assume an IAM role into an account.

To learn more about identity providers and federation, see Identity providers and federation in the IAM User Guide. To learn more about AWS SSO, see the AWS Single Sign-On User Guide.

If you need to use IAM users, Security Hub recommends that you enforce the creation of strong user passwords. You can set a password policy on your AWS account to specify complexity requirements and mandatory rotation periods for passwords. When you create or change a password policy, most of the password policy settings are enforced the next time users change their passwords. Some of the settings are enforced immediately. To learn more, see Setting an account password policy for IAM users in the IAM User Guide.

Remediation

To remediate this issue, update your password policy to use the recommended configuration.

  1. Sign into the AWS console, and navigate to IAM Console.
  2. Choose Account settings.
  3. Select Requires at least one uppercase letter.
  4. Select Requires at least one lowercase letter.
  5. Select Requires at least one non-alphanumeric character.
  6. Select Requires at least one number.
  7. For Minimum password length, enter 8.
  8. Choose Apply password policy.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_iam_7

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_iam_7 --share

SQL

This control uses a named query:

select
'arn:' || a.partition || ':::' || a.account_id as resource,
case
when
minimum_password_length >= 8
and require_lowercase_characters = 'true'
and require_uppercase_characters = 'true'
and require_numbers = 'true'
and require_symbols = 'true'
then 'ok'
else 'alarm'
end as status,
case
when minimum_password_length is null then 'No password policy set.'
when
minimum_password_length >= 8
and require_lowercase_characters = 'true'
and require_uppercase_characters = 'true'
and require_numbers = 'true'
and require_symbols = 'true'
then 'Strong password policies configured.'
else 'Password policy ' ||
concat_ws(', ',
case when minimum_password_length < 8 then ('minimum password length set to ' || minimum_password_length) end,
case when not (require_lowercase_characters = 'true') then 'lowercase characters not required' end,
case when not (require_uppercase_characters = 'true') then 'uppercase characters not required' end,
case when not (require_numbers) then 'numbers not required' end,
case when not (require_symbols) then 'symbols not required' end
) || '.'
end as reason
, a.account_id
from
aws_account as a
left join aws_iam_account_password_policy as pol on a.account_id = pol.account_id;

Tags