IAM user without password reset This product is not supported for your selected
Datadog site . (
).
Id: cloudformation-aws-user-iam-missing-password-reset-required
Provider: AWS
Platform: CloudFormation
Severity: Medium
Category: Best Practices
Learn More Description Console-enabled IAM users should require a password reset on first sign-in to prevent reuse of initial credentials if they are intercepted and to ensure each user sets a unique password.
In CloudFormation, check AWS::IAM::User resources. When Properties.LoginProfile contains a Password, LoginProfile.PasswordResetRequired must be present and set to true. This rule flags resources that omit LoginProfile, include only a Password without PasswordResetRequired, or explicitly set PasswordResetRequired to false.
Secure configuration example:
MyUser :
Type : AWS::IAM::User
Properties :
UserName : example-user
LoginProfile :
Password : "InitialPassword123!"
PasswordResetRequired : true
Compliant Code Examples AWSTemplateFormatVersion : "2010-09-09"
Description : A sample template
Resources :
myuser :
Type : AWS::IAM::User
Properties :
Path : "/"
LoginProfile :
Password : myP@ssW0rd
PasswordResetRequired : true
Policies :
- PolicyName : giveaccesstoqueueonly
PolicyDocument :
Version : '2012-10-17'
Statement :
- Effect : Allow
Action :
- sqs:*
Resource :
- !GetAtt myqueue.Arn
- Effect : Deny
Action :
- sqs:*
NotResource :
- !GetAtt myqueue.Arn
{
"AWSTemplateFormatVersion" : "2010-09-09" ,
"Description" : "A sample template" ,
"Resources" : {
"myuser" : {
"Type" : "AWS::IAM::User" ,
"Properties" : {
"Path" : "/" ,
"LoginProfile" : {
"Password" : "myP@ssW0rd" ,
"PasswordResetRequired" : true
},
"Policies" : [
{
"PolicyName" : "giveaccesstoqueueonly" ,
"PolicyDocument" : {
"Version" : "2012-10-17" ,
"Statement" : [
{
"Effect" : "Allow" ,
"Action" : [
"sqs:*"
],
"Resource" : [
"myqueue.Arn"
]
},
{
"Effect" : "Deny" ,
"Action" : [
"sqs:*"
],
"NotResource" : [
"myqueue.Arn"
]
}
]
}
}
]
}
}
}
}
Non-Compliant Code Examples AWSTemplateFormatVersion : "2010-09-09"
Description : A sample template
Resources :
myuser :
Type : AWS::IAM::User
Properties :
Path : "/"
LoginProfile :
Password : myP@ssW0rd
PasswordResetRequired : false
Policies :
- PolicyName : giveaccesstoqueueonly
PolicyDocument :
Version : '2012-10-17'
Statement :
- Effect : Allow
Action :
- sqs:*
Resource :
- !GetAtt myqueue.Arn
- Effect : Deny
Action :
- sqs:*
NotResource :
- !GetAtt myqueue.Arn
AWSTemplateFormatVersion : "2010-09-09"
Description : A sample template
Resources :
newuser :
Type : AWS::IAM::User
Properties :
Path : "/"
LoginProfile :
Password : myP@ssW0rd
Policies :
- PolicyName : giveaccesstoqueueonly
PolicyDocument :
Version : '2012-10-17'
Statement :
- Effect : Allow
Action :
- sqs:*
Resource :
- !GetAtt myqueue.Arn
- Effect : Deny
Action :
- sqs:*
NotResource :
- !GetAtt myqueue.Arn
AWSTemplateFormatVersion : "2010-09-09"
Description : A sample template
Resources :
topuser :
Type : AWS::IAM::User
Properties :
Path : "/"
Policies :
- PolicyName : giveaccesstoqueueonly
PolicyDocument :
Version : '2012-10-17'
Statement :
- Effect : Allow
Action :
- sqs:*
Resource :
- !GetAtt myqueue.Arn
- Effect : Deny
Action :
- sqs:*
NotResource :
- !GetAtt myqueue.Arn
