AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
Complex Password Policy Should Be Present
More Info:
Password policy should be complex enough so that users can set passwords which are not easy to guess and crack.
Risk Level
Medium
Address
Security
Compliance Standards
HIPAA, ISO27001, PCIDSS, GDPR, CISAWS, CBP, NIST, HITRUST, AWSWAF, SOC2, NISTCSF
Triage and Remediation
How to Prevent
To prevent the misconfiguration of not having a complex password policy in AWS IAM using the AWS Management Console, follow these steps:
-
Navigate to IAM Dashboard:
- Sign in to the AWS Management Console.
- In the top navigation bar, click on “Services” and then select “IAM” under the “Security, Identity, & Compliance” section.
-
Access Account Settings:
- In the IAM dashboard, on the left-hand side, click on “Account settings.”
-
Set Password Policy:
- In the “Password policy” section, click on the “Set password policy” button.
- Configure the password policy settings to enforce complexity. Ensure you enable options such as:
- Require at least one uppercase letter.
- Require at least one lowercase letter.
- Require at least one number.
- Require at least one non-alphanumeric character (e.g., !, @, #, $).
-
Save Changes:
- After configuring the desired settings, click on the “Save changes” button to apply the new password policy.
By following these steps, you can ensure that a complex password policy is enforced for IAM users in your AWS account.
To prevent the misconfiguration of not having a complex password policy in AWS IAM using the AWS CLI, you can follow these steps:
-
Set Minimum Password Length: Ensure that the password policy enforces a minimum length for passwords. This helps in making passwords harder to guess.
aws iam update-account-password-policy --minimum-password-length 12 -
Require at Least One Uppercase Letter: Enforce the inclusion of at least one uppercase letter in the password to increase complexity.
aws iam update-account-password-policy --require-uppercase-characters -
Require at Least One Lowercase Letter: Enforce the inclusion of at least one lowercase letter in the password to ensure a mix of character cases.
aws iam update-account-password-policy --require-lowercase-characters -
Require at Least One Number and One Special Character: Ensure that the password includes at least one numeric digit and one special character to further enhance security.
aws iam update-account-password-policy --require-numbers --require-symbols
By executing these commands, you can enforce a complex password policy in AWS IAM, thereby preventing the misconfiguration of having weak password policies.
To prevent the misconfiguration of not having a complex password policy in IAM using Python scripts, you can follow these steps for AWS, Azure, and GCP:
AWS (Boto3)
-
Install Boto3: Ensure you have the Boto3 library installed. You can install it using pip if you haven’t already:
pip install boto3 -
Create a Python Script to Set Password Policy: Use the following script to set a complex password policy in AWS IAM:
import boto3 # Create an IAM client iam = boto3.client('iam') # Define the password policy password_policy = { 'MinimumPasswordLength': 12, 'RequireSymbols': True, 'RequireNumbers': True, 'RequireUppercaseCharacters': True, 'RequireLowercaseCharacters': True, 'AllowUsersToChangePassword': True, 'ExpirePasswords': True, 'MaxPasswordAge': 90, 'PasswordReusePrevention': 5 } # Set the password policy response = iam.update_account_password_policy(**password_policy) print("Password policy updated:", response)
Azure (Azure SDK for Python)
-
Install Azure Identity and Management Libraries: Ensure you have the Azure libraries installed:
pip install azure-identity azure-mgmt-authorization -
Create a Python Script to Set Password Policy: Use the following script to set a complex password policy in Azure AD:
from azure.identity import DefaultAzureCredential from azure.mgmt.authorization import AuthorizationManagementClient # Initialize the Azure credentials and client credential = DefaultAzureCredential() subscription_id = 'your-subscription-id' client = AuthorizationManagementClient(credential, subscription_id) # Define the password policy (Note: Azure AD password policies are managed via Azure AD B2C or Conditional Access Policies) # This is a placeholder as Azure AD password policies are not directly managed via the SDK password_policy = { 'minimum_length': 12, 'require_uppercase': True, 'require_lowercase': True, 'require_numbers': True, 'require_symbols': True, 'max_age_days': 90, 'password_reuse_prevention': 5 } # Placeholder for setting the password policy # Azure AD password policies are typically set via the Azure portal or PowerShell print("Password policy should be set via Azure AD B2C or Conditional Access Policies.")
GCP (Google Cloud Client Library for Python)
-
Install Google Cloud IAM Library: Ensure you have the Google Cloud IAM library installed:
pip install google-cloud-iam -
Create a Python Script to Set Password Policy: Use the following script to set a complex password policy in GCP IAM:
from google.cloud import iam_v1 # Initialize the IAM client client = iam_v1.IAMClient() # Define the password policy (Note: GCP IAM does not directly support password policies, typically managed via G Suite) password_policy = { 'minimum_length': 12, 'require_uppercase': True, 'require_lowercase': True, 'require_numbers': True, 'require_symbols': True, 'max_age_days': 90, 'password_reuse_prevention': 5 } # Placeholder for setting the password policy # GCP IAM password policies are typically managed via G Suite Admin SDK print("Password policy should be set via G Suite Admin SDK.")
Summary
- AWS: Use Boto3 to set a complex password policy directly.
- Azure: Use Azure SDK for Python, but note that password policies are typically managed via Azure AD B2C or Conditional Access Policies.
- GCP: Use Google Cloud IAM library, but note that password policies are typically managed via G Suite Admin SDK.
These scripts provide a starting point for ensuring complex password policies are enforced in your cloud environments.