Chapter 1 : Security Best Practices for AWS IAM Password Policy
The global public cloud service market is projected to reach $266 billion in 2020. This spells out a projected growth of 17.3% since 2018. According to Gartner’s forecast, infrastructure-as-a-service (IaaS) will be the fastest growing segment of the market with 24% predicted growth.
With this ever increasing adoption of public cloud, the security of the same becomes a critical aspect. Through this series of blogs, I’ll pen down some of the very basic security best practices at the resource configuration level that can be followed to improve the security posture of your infrastructure on AWS cloud. I’ll try to cover as many services as possible that are provided by AWS and try to help an audience who would like to explore the security aspect of Cloud. I’ve chosen AWS Cloud for the obvious reason of it being the most widely used and the most popular choice when it comes to cloud adoption.
Let us begin….
To start off, I’ve selected the first service that comes to mind, when we think of cloud adoption and the one which kick-starts everyone’s cloud journey — Identity and Access Management (IAM).
Identity and Access Management (IAM) enables you to manage access to AWS services and resources securely. Using IAM, you can create and manage AWS users and groups, and use permissions to allow and deny their access to AWS resources.
In this blog, I’ll cover only one aspect of IAM, that is AWS IAM Password Policy.
What is AWS IAM Password Policy?
AWS IAM Password policy is a collection of rules, using which you can set restrictions on the password of your IAM Users.
Below is the self-explanatory set of rules comprising the IAM Password policy:
Security best practices for IAM Password policy:
I’ve divided the password policy rules, into 3 categories, to simplify the security best practices involved:
a) Password complexity:
These five password policy rules, determine the complexity of the password that should be created by the IAM users. It is recommended that the minimum password length should be set to 14 or more and a password must consist of uppercase and lowercase letters, require a number and one non-alphanumeric character.
Enabling all these checks ensures that the created passwords for any IAM user in your AWS Account will be complex and thus enhancing security.
b) Password expiration:
These three password policy rules ensure that IAM users change their password after a specified period of time. It is recommended that the password should be set to expire after 90 days or less. By making your IAM users change passwords regularly, makes it harder for attackers to predict the passwords thereby enhancing security.
Further, if you have an active IAM user with admin access for managing your account, only then should you enable the “Password Expiration requires administrator reset” rule, so that the admin has a track of all the active users in the account, otherwise you can keep this rule disabled.
c) Password reuse:
This rule ensures that reuse of passwords is prevented. It is recommended that this value should be set to 24 or more, meaning a user cannot make use of any of the last 24 passwords while changing the password, which further makes predicting the user password harder.
**This value may be set to a lower number as per individual/organization’s needs.
Points to be noted:
a) The password policy does not apply to the root user of the AWS account.
b) The password settings described here apply only to passwords assigned to IAM users and do not affect any access keys they might have.
Configuring the AWS IAM Password Policy :
a) Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/
b) In the navigation pane, click Account Settings. Click on Set Password Policy (or Change Password Policy, for accounts with existing policy.)
c) In the Password Policy section, select the options as suggested above to incorporate a strong password policy and Click Save Changes.
This is how, you can setup a strong password policy using simple steps which will surely help enhance the security posture of your AWS Account.
References:
