MEDIUM
Source
Trivy/CSPM
CSPM ID
maximum-password-age
Frameworks

CIS AWS 1.2

ID
AVD-AWS-0062

IAM Password policy should have expiry less than or equal to 90 days.

IAM account password policies should have a maximum age specified.

The account password policy should be set to expire passwords after 90 days or less.

Impact

Long life password increase the likelihood of a password eventually being compromised

Follow the appropriate remediation steps below to resolve the issue.

  1. Log into the AWS Management Console.
  2. Select the “Services” option and search for IAM. Step
  3. Scroll down the left navigation panel and choose “Account Settings”. Step
  4. Under the “Password Policy” configuration panel scroll down and check the “Enable password expiration”. If the “Enable password expiration” checkbox is not ticked then the password won’t reset in any number of days. Step
  5. If the “Enable password expiration” checkbox is ticked and “Password expiration period (in days)” is set to above 180 days than the allowed age of password might lead to a security threat as the same password will be active for a long period of time.Step
  6. Click on the “Enable password expiration” checkbox and mention the 180 days under “Password expiration period (in days)” so that the password will be expired after 180days. After 180 days, the password expires and the IAM user must set a new password before accessing the AWS Management Console.Step
  7. Click on the “Apply Password Policy” button to make the necessary changes.Step

Limit the password duration with an expiry in the policy

1
2
3
resource "aws_iam_account_password_policy" "good_example" {
  max_password_age = 90
}