IAM password policy should prevent the reuse of passwords

Description

IAM password policies can prevent the reuse of a given password by the same user. It is recommended that the password policy prevent the reuse of passwords.

Rationale

Preventing password reuse increases account resiliency against brute force login attempts.

Remediation

From the console

  1. Log in to the AWS Console. Use an account that has permission to view identity access management account settings.
  2. Navigate to IAM service.
  3. Click on Account Settings on the left pane.
  4. Ensure that the Prevent password reuse checkbox is selected.
  5. Set Number of passwords to remember to 24.

From the command line

aws iam update-account-password-policy --password-reuse-prevention 24
  • Note: All commands starting with aws iam update-account-password-policy can be combined into a single command.

References

  1. https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html
  2. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html
  3. https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#configure-strong-password-policy