Control: IAM password policies for users should have strong configurations
Description
The identities and the credentials are issued, managed, and verified based on an organizational IAM password policy.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.iam_account_password_policy_strong_min_reuse_24
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.iam_account_password_policy_strong_min_reuse_24 --share
SQL
This control uses a named query:
select 'arn:' || a.partition || ':::' || a.account_id as resource, case when minimum_password_length >= 14 and password_reuse_prevention >= 24 and require_lowercase_characters = 'true' and require_uppercase_characters = 'true' and require_numbers = 'true' and require_symbols = 'true' and max_password_age <= 90 then 'ok' else 'alarm' end as status, case when minimum_password_length is null then 'No password policy set.' when minimum_password_length >= 14 and password_reuse_prevention >= 24 and require_lowercase_characters = 'true' and require_uppercase_characters = 'true' and require_numbers = 'true' and require_symbols = 'true' and max_password_age <= 90 then 'Strong password policies configured.' else 'Password policy ' || concat_ws( ', ', case when minimum_password_length < 14 then ( 'minimum password length set to ' || minimum_password_length ) end, case when password_reuse_prevention < 24 then ( 'password reuse prevention set to ' || password_reuse_prevention ) end, case when not (require_lowercase_characters = 'true') then 'lowercase characters not required' end, case when not (require_uppercase_characters = 'true') then 'uppercase characters not required' end, case when not (require_numbers) then 'numbers not required' end, case when not (require_symbols) then 'symbols not required' end, case when max_password_age > 90 then ('max password age set to ' || max_password_age) end ) || '.' end as reason, a.account_idfrom aws_account as a left join aws_iam_account_password_policy as pol on a.account_id = pol.account_id;