This lab walks you through the steps you need to take to automatically set the IAM Password Policy for all AWS IAM users according to AWS Foundational Security Best Practices standard, which recommends that password policies for IAM users should have strong configurations.
To access the AWS Management Console, IAM users need passwords. As a best practice, AWS highly recommends that instead of creating IAM users, you use federated access. Federation allows users to use their existing corporate credentials to log into the AWS Management Console. Use AWS Single Sign-On (AWS SSO) to create or federate the user, and then assume an IAM role into an account. After federation activation, you may need to enforce expiration of old user passwords. In this case, this lab will show you how you can effectively update the password policy for all IAM users across all AWS accounts.
By default, the IAM Password Policy enforces a limited number of conditions:
- Minimum password length of 8 characters and a maximum length of 128 characters.
- Minimum of three of the following mix of character types: uppercase, lowercase, numbers, and ! @ # $ % ^ & * ( ) _ + - = [ ] { } | ' symbols.
- Not be identical to your AWS account name or email address.
This lab will show you how to update the IAM Password Policy by setting a strong password configuration with the following conditions:
- At least one uppercase letter is required.
- At least one lowercase letter is required.
- At least one non-alphanumeric character is required.
- At least one number is required.
- Minimum password length of 8 characters.
In this lab, you will deploy an AWS CloudFormation template to automatically set the account password policy. The CloudFormation template defines a custom resource which invokes an AWS Lambda function to perform the required action. The Lambda function uses the AWS SDK for Python (Boto3) to call the AWS Identity and Access Management API to update the password policy settings for the AWS account.
For your reference, the Lambda function runtime is python 3.9 and it requires permission to call the IAM action, UpdateAccountPasswordPolicy, to execute the piece of code below.
import boto3
iam = boto3.client('iam')
response = iam.update_account_password_policy(
# set parameters as required by AWS FSBP standard control (IAM.7)
# parameters that are not specified revert to their default values
RequireNumbers = True, # must contain at least one numeric character (0 to 9)
RequireSymbols = True, # at least one of the characters: ! @ # $ % ^ & * ( ) _ + - = [ ] { } | '
MinimumPasswordLength = 8, # 8 is minimum required length by Security Hub IAM.7 contorl
RequireUppercaseCharacters = True, # at least one uppercase character from alphabet (A to Z)
RequireLowercaseCharacters = True, # at least one lowercase character from alphabet (a to z)
)
The lab consists of three parts. We will first verify the we have the default password policy configured in the AWS account. Next, we will deploy the CloudFormation template to make the account password policy configuration stronger. Finally, we will test the password policy change to verify that we cannot create an IAM user with a weak password.
- Login to AWS console with the credentials provided for you.
- Open the AWS IAM console.
- Under Access management, click on Account settings.
- Observe that this AWS account uses the following default password policy.
Note: If you see a custom password policy defined, click on the Delete button and acknowledge the confirmation message.
- Open the AWS CloudFormation console.
- Click on Create resources With new resources (standard).
- Under Create stack, click on Upload a template file.
- Download the CloudFormation template file to your local disk.
- Click on Choose file and select the file "devlab-iam-password-policy-change.yml" downloaded in previous step.
- Wait till file is uploaded, and click Next.
- Under Specify stack details, set the Stack name to "devlab-iam-password-policy" and click Next.
- Under Configure stack options, click Next.
- Under Review devlab-iam-password-policy, check I acknowledge that AWS CloudFormation might create IAM resources and click on *Create stack.
- The CloudFormation Stack status should be CREATE_IN_PROGRESS.
- Refresh after 1 minute to see the status changed to CREATE_COMPLETE.
- Go back to the AWS IAM console.
- Under Access management, click on Account settings.
- Observe that this AWS account uses now custom password policy with strong configuration.
- Go to the AWS IAM console.
- Under Access management, click on Users.
- Click on Add users.
- Under Set user details, set the User name to "devlab-test-user".
- Under Select AWS access type, choose Password - AWS Management Console access and change Console password to Custom password.
- Try to create this user with a weak password and observe that you get a warning message and the Next: Permissions button is disable.
If you have your AWS Organizations organization already created, consider implementing a Service Control Policy (SCP) to disallow member accounts from resetting their IAM Password Policies. This step will not be covered in this lab, but is an additional governance mechanism you can apply across multiple accounts or the entire AWS Organization. Firstly, use AWS CloudFormation StackSets to deploy the same AWS CloudFormation template we used in this lab across all your organization's member accounts. Once the IAM Password Policy of member accounts has been updated according to your organization standard, you can attach the SCP below using AWS Organizations to deny further updates to the IAM Password Policy by member accounts.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyUpdateAccountPasswordPolicy",
"Effect": "Deny",
"Action": "iam:UpdateAccountPasswordPolicy",
"Resource": "*"
}
]
}
This lab applies a custom IAM Password Policy to an AWS account using an AWS CloudFormation template. Deletion of the CloudFormation stack has no impact on the current password policy. To reset the account password policy to its default configuration, you can deploy the CloudFormation reset template provided to delete the custom password policy created.
Thank you for participating in this lab. Please leave us feedback to know how we did and improve in future labs. If the QR code below doesn't work, you can click on the link here.
