Ensure IAM password policy has expiration period

Security & Compliance

IAM password policies are used to enforce the creation and use of password complexity. Ensuring IAM password policy has expiration period is a security best practice for AWS Identity and Access Management (IAM) users. It involves setting a policy for the maximum period of time that a user's password can be used before it expires and the user is required to reset it.By implementing a password expiration policy, IAM users are required to change their passwords on a regular basis, which helps to prevent unauthorized access to AWS resources. This is because passwords that are not changed regularly may be more susceptible to being compromised or stolen, which can lead to unauthorized access to sensitive data or resources.An expiration period for IAM passwords is typically set to a fixed number of days (e.g., 90 days), and the user is notified when the password is nearing expiration. When the expiration date is reached, the user is required to change their password to a new, unique, and secure one.By ensuring that the IAM password policy has an expiration period, organizations can enhance the security of their AWS resources and minimize the risk of unauthorized access or data breaches caused by compromised or weak passwords.‍


Here are the remediation steps to ensure that IAM password policy has an expiration period:

  1. Log in to the AWS Management Console with administrator credentials.
  2. Navigate to the IAM dashboard and click on "Account settings."
  3. In the "Password Policy" section, click on "Edit."
  4. Set the maximum password age to a value that suits your organization's security needs. For example, set it to 90 days.
  5. Click on "Apply password policy" to save the changes.
  6. Enable the "Password expiration" option and select the checkbox for "Notify users before their password expires."
  7. Configure the "Password expiration email" to send reminders to users when their password is about to expire.
  8. Click on "Apply password policy" to save the changes.

Once you have completed these steps, the IAM users will be required to change their passwords periodically, based on the maximum age set by the policy. They will also receive reminders when their passwords are nearing expiration. This helps to ensure that IAM users are using strong and secure passwords, and helps to reduce the risk of unauthorized access to AWS resources due to compromised or weak passwords.

Enforced Resources
Note: Remediation steps provided by Lightlytics are meant to be suggestions and guidelines only. It is crucial to thoroughly verify and test any remediation steps before applying them to production environments. Each organization's infrastructure and security needs may differ, and blindly applying suggested remediation steps without proper testing could potentially cause unforeseen issues or vulnerabilities. Therefore, it is strongly recommended that you validate and customize any remediation steps to meet your organization's specific requirements and ensure that they align with your security policies and best practices.