🚀Launch Week 07, January 27th - 31st, 2025🚀
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-terraform-aws-compliance
Overview
69Dashboards
357Benchmarks
357Queries
2Variables
GitHub

Control: Ensure IAM password policy expires passwords within 90 days or less

Description

IAM password policies can require passwords to be rotated or expired after a given number of days. Security Hub recommends that the password policy expire passwords after 90 days or less. Reducing the password lifetime increases account resiliency against brute force login attempts.

Usage

Run the control in your terminal:

powerpipe control run terraform_aws_compliance.control.iam_password_policy_expire_90

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run terraform_aws_compliance.control.iam_password_policy_expire_90 --share

SQL

This control uses a named query:

select
  address as resource,
  case
    when (attributes_std -> 'max_password_age') is null then 'alarm'
    when (attributes_std -> 'max_password_age')::integer <= 90 then 'ok'
    else 'alarm'
  end as status,
  split_part(address, '.', 2) || case
    when (attributes_std -> 'max_password_age') is null then ' password expiration not set'
    when (attributes_std -> 'max_password_age')::integer <= 90 then ' password expiration set to ' || (attributes_std ->> 'max_password_age') || ' days'
    else ' password expiration set to ' || (attributes_std ->> 'max_password_age') || ' days'
  end || '.' as reason
  , path || ':' || start_line
from
  terraform_resource
where
  type = 'aws_iam_account_password_policy';

Tags

category = Compliance
gdpr = true
hipaa = true
plugin = terraform
service = AWS/IAM