Blog

You are currently viewing How to implement IAM password policies

How to implement IAM password policies

Loading

In this blog, you will learn how to implement IAM password policies to enhance security by ensuring strong, unique passwords. We’ll cover key strategies and best practices for creating effective password policies in your organization.

Default password policy in AWS

This is default password policy present in AWS

  • Passwords for your AWS account need to be at least 8 characters long.
  • For a strong password, use at least three of the following types of characters: numbers, capital and lowercase letters, non-alphanumeric characters (like!, @, #, $), and spaces.
  • Passwords should never end so that people can keep using them without having to change them often.
  • To make things even safer, your passwords shouldn’t be the same as your AWS account name or email address.

These rules help protect your account by making sure that your passwords are strong and not made up of information that is easy to figure out.

Here’s an example configuration for a strong password policy:

  • The minimum password length is of 12 characters
  • It require at least one uppercase letter: Checked
  • It require at least one lowercase letter: Checked
  • It require at least one number: Checked
  • It require at least one non-alphanumeric character: Checked
  • It allow users to change their own password: Checked
  • It enable password expiration after every 90 days for the security purpose.
  • It should prevent password reuse: 5 previous passwords
  • It require users to change their password after a specified period: 365 days

Steps to implement IAM password policies

First you have to login into AWS management console.

The you have to search for IAM and then go under Account Settings.

Next click on Edit in Password policy.

You will see an interface which looks like this IAM default and Custom. You have to click on the Custom.

Do the below configuration such as

  • Minimum password length is 12 characters.
  • Requires atleast one uppercase and one lowercase letters.
  • Requires atleast one number.
  • Requires atleast one non-alphanumeric characters.
  • Expire the password after 90 days
  • And the other configurations which are given below.

Then click on Save changes.

In the account setting beside password policies there is one more thing there which is Security Token Service. It’s a service that gives AWS users or services temporary passwords with limited access. You can safely access AWS resources with these temporary credentials without having to make long-term credentials like IAM users and keys. STS is often used for federated users, cross-account access, and situations where entry is only needed for a short time.

aws sts assume-role --role-arn <RoleARN> --role-session-name <SessionName>
  • Permissions: The IAM job must be linked to a policy that lets you do what you want to do with AWS resources.
  • How long they last: Temporary credentials have a time limit after which they are no longer usable. This expiration time can be anywhere from 15 minutes to 12 hours, based on how you set it.
  • Security: To reduce the security risks that come with long-term passwords, always use temporary credentials when you can.

There are default 18 endpoints are present for the security token service.

Conclusion

In conclusion, by implementing robust IAM password policies, you enhance security, protect sensitive data, and ensure regulatory compliance. Follow these steps to safeguard your organization against unauthorized access and cyber threats.

If you like this blog, you can share it with your friends or colleague. You can connect with me on social media profiles like LinkedIn, Twitter, and Instagram. If you have any doubt regarding implementation feel free to comment.