Control: 2.8 Ensure IAM password policy prevents password reuse
Description
IAM password policies can prevent the reuse of a given password by the same user. It is recommended that the password policy prevent the reuse of passwords.
Remediation
Perform the following to set the password policy as prescribed:
From Console:
- Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings).
- Go to IAM Service on the AWS Console.
- Select Account Settings on the Left Pane.
- Check "Prevent password reuse".
- Set "Number of passwords to remember" is set to 24.
From Command Line:
aws iam update-account-password-policy --password-reuse-prevention 24
Note: All commands starting with "aws iam update-account-password-policy" can be combined into a single command.
Default Value:
By default, the AWS IAM password policy does not prevent password reuse. No password history is remembered unless explicitly configured.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.cis_v600_2_8
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.cis_v600_2_8 --share
SQL
This control uses a named query:
select 'arn:' || a.partition || ':::' || a.account_id as resource, case when password_reuse_prevention >= 24 then 'ok' else 'alarm' end as status, case when minimum_password_length is null then 'No password policy set.' when password_reuse_prevention is null then 'Password reuse prevention not set.' else 'Password reuse prevention set to ' || password_reuse_prevention || '.' end as reason , a.account_idfrom aws_account as a left join aws_iam_account_password_policy as pol on a.account_id = pol.account_id;