DeleteAccountPasswordPolicy
Event Information
- The DeleteAccountPasswordPolicy event in AWS for IAM refers to the action of deleting the account-level password policy for an IAM user or role.
- This event signifies that the password policy, which defines the requirements and constraints for user passwords within an AWS account, has been removed.
- Deleting the account password policy allows users and roles to set passwords without any specific requirements or constraints, potentially compromising the security of the account.
Examples
-
Weakening password complexity: By deleting the account password policy in AWS IAM, the security of user passwords can be impacted. Without a password policy in place, users may be allowed to set weak passwords that are easily guessable or susceptible to brute-force attacks. This can increase the risk of unauthorized access to user accounts and compromise the overall security of the AWS environment.
-
Lack of password expiration: Deleting the account password policy can also result in the absence of password expiration requirements. Without regular password changes, the risk of compromised credentials remaining undetected and exploited for an extended period increases. Regular password expiration helps mitigate the impact of potential password leaks or unauthorized access.
-
Absence of multi-factor authentication (MFA): The account password policy in AWS IAM typically enforces the use of multi-factor authentication (MFA) for user accounts. By deleting this policy, MFA requirements may be removed, allowing users to rely solely on passwords for authentication. MFA adds an additional layer of security by requiring users to provide a second form of authentication, such as a code from a mobile app or a hardware token. Removing MFA increases the risk of unauthorized access in case of password compromise.
Remediation
Using Console
-
Example 1: Enforce strong password policy for IAM users
- Step 1: Login to the AWS Management Console.
- Step 2: Go to the IAM service.
- Step 3: Click on “Account settings” in the left navigation pane.
- Step 4: Under the “Password policy” section, click on “Edit”.
- Step 5: Enable the “Require at least one uppercase letter” option.
- Step 6: Enable the “Require at least one lowercase letter” option.
- Step 7: Enable the “Require at least one number” option.
- Step 8: Enable the “Require at least one non-alphanumeric character” option.
- Step 9: Set the “Minimum password length” to an appropriate value.
- Step 10: Click on “Apply password policy”.
-
Example 2: Enable multi-factor authentication (MFA) for IAM users
- Step 1: Login to the AWS Management Console.
- Step 2: Go to the IAM service.
- Step 3: Click on “Users” in the left navigation pane.
- Step 4: Select the IAM user for which you want to enable MFA.
- Step 5: Click on the “Security credentials” tab.
- Step 6: Under the “Multi-factor authentication (MFA)” section, click on “Manage”.
- Step 7: Click on “Activate MFA”.
- Step 8: Choose the appropriate MFA device option (e.g., virtual MFA device, hardware MFA device).
- Step 9: Follow the on-screen instructions to set up the MFA device.
- Step 10: Click on “Assign MFA”.
-
Example 3: Enable AWS CloudTrail for logging IAM events
- Step 1: Login to the AWS Management Console.
- Step 2: Go to the CloudTrail service.
- Step 3: Click on “Trails” in the left navigation pane.
- Step 4: Click on “Create trail”.
- Step 5: Provide a name for the trail and choose the appropriate settings (e.g., log file validation, S3 bucket for storing logs).
- Step 6: Under the “Management events” section, enable logging for IAM events.
- Step 7: Click on “Create”.
- Step 8: Once the trail is created, go to the IAM service.
- Step 9: Click on “Policies” in the left navigation pane.
- Step 10: Create a new IAM policy that allows the necessary permissions for accessing and reading the CloudTrail logs.
Using CLI
-
Ensure IAM users have strong passwords:
- Use the
update-login-profile
command to set a strong password for an IAM user:
- Use the
-
Enable multi-factor authentication (MFA) for IAM users:
- Use the
enable-mfa-device
command to enable MFA for an IAM user:
- Use the
-
Remove unnecessary IAM access keys:
- Use the
delete-access-key
command to delete an IAM access key:
- Use the
Using Python
- Ensure IAM users have strong passwords:
- Use the
boto3
library in Python to retrieve a list of IAM users. - For each user, check if their password meets the desired complexity requirements (e.g., minimum length, use of special characters, etc.).
- If a user’s password does not meet the requirements, use the
update_login_profile
method to force a password reset for that user.
- Use the
- Enable multi-factor authentication (MFA) for IAM users:
- Use the
boto3
library in Python to retrieve a list of IAM users. - For each user, check if MFA is already enabled.
- If MFA is not enabled, use the
enable_mfa
method to enable it for that user.
- Use the
- Monitor and rotate IAM access keys:
- Use the
boto3
library in Python to retrieve a list of IAM users. - For each user, check if they have any access keys.
- If access keys are found, check their age and determine if they need to be rotated.
- If rotation is required, use the
create_access_key
anddelete_access_key
methods to generate a new access key and delete the old one.
- Use the