Need

Implementation of a strong password policy

Context

• Usage of CloudFormation for Infrastructure as Code (IaC)
• Usage of AWS IAM for managing user access and permissions

Description

Non compliant code

        Resources:
  WeakIAMUser:
    Type: AWS::IAM::User
    Properties:
      UserName: my-user

  WeakLoginProfile:
    Type: AWS::IAM::LoginProfile
    Properties:
      UserName: !Ref WeakIAMUser
      Password: "TemporaryPassword123"
      PasswordResetRequired: false

        
        

This CloudFormation example creates an IAM user but does not enforce any account-level password policy. Without such a policy, users can set weak passwords, making accounts more susceptible to brute-force or guessing attacks.

Steps

Compliant code

        Resources:
  StrongPasswordPolicy:
    Type: AWS::IAM::AccountPasswordPolicy
    Properties:
      MinimumPasswordLength: 14
      RequireUppercaseCharacters: true
      RequireLowercaseCharacters: true
      RequireNumbers: true
      RequireSymbols: true
      AllowUsersToChangePassword: true
      PasswordReusePrevention: 5
      MaxPasswordAge: 90

        
        

This CloudFormation example includes a strong password policy using the AWS::IAM::AccountPasswordPolicy resource. It enforces complexity requirements such as minimum length, uppercase, lowercase, numbers, symbols, and password expiration.

References

• 363. Weak credential policy - Password strength