How to secure your account with AWS AIM password policy

Securing your AWS account according to best practices is extremely important, but unfortunately the AWS IAM password policy feature is ignored in most cases. In this post we will go through the steps needed to be taken to secure your account based on AWS recommendations.

Log into your AWS account through AWS Management console. Navigate to IAM service. Since IAM is a global service, it doesn’t matter which region you are currently in. On the left hand side menu select “Account Settings” under “Access Management”. You will see a short summary of which policies / rules are currently applied to your account as per screenshot below.

IAM password policy

Tuning AWS IAM password policy

Once you clicked on “Change password policy” a new window will appear with multiple options you can set / change. Policy set here will affect all users under your AWS account! Let’s go through all the options available:
Enforce minimum password length sets the minimum password length for all users created / will be created under your AWS account. AWS will not allow to set a password which is shorter than that. The longer the password is, the harder to compromise it. But if the password is too long it is hard to remember and users will tend to select some common long phrases. So 10-12 characters would be a good starting choice.
Require at least… option sets the requirement which type of characters should be mandatory included in the password. The more options you select here, the more secure your password will be, since it significantly increases the total amount of possible combinations.
Enable password expiration sets the amount of days when your password expires. It is a good practice to force users to change the password from time to time. Something between 3 and 6 months is a good starting point. Don’t force users to change passwords too frequently, they might tend to write them down somewhere, since it is hard to remember a password which changes every week, for example.

Password expiration requires administrator reset By selecting this option, you don’t give users rights to manually change the password once it is expired. Not a very good option for large organizations, as this increases admin involvement in the process.
Allow users to change their own password Why not give rights to the users to change the password on their own if all AWS IAM password policies are set wisely? Recommend this option to be set.
Prevent password reuse Will not allow users to use the last X passwords. By default, if this policy is not set, only the last password cannot be used. There is nothing bad if you allow users to reuse the passwords after quite a solid period of time. For example, Expire password set to 90 days (3 months) and Remember passwords to 5, users can reuse their password after 15 months.

The best practice recommended by AWS is to set all options mentioned above except for the Password expiration requires administrator reset – It is up to you to decide whether you switch it on or off, based on the security requirements and policies within your organization. In my opinion, if it is not forced by organization security policies, administrator intervention should be avoided.

The video guide which accompanies this post is now available on our YouTube channel, please find link below

AWS IAM password policy

Another part of the best practices related to securing your account is to switch on MFA – multi factor authentication. What is it and how to enable it, we will go through in the next post. Stay turned!

Leave a Reply