IAM Password policy has no expire

ID

aws_iam_password_expiration

Severity

low

Vendor

AWS

Resource

IAM

Tags

reachable

Description

IAM Password policy has no expire. If the password does not expire, the chance of the password being compromised is higher.

To fix it, you must configure pw_max_age > 0.

Learn more about this topic at AWS IAM password policy.

Examples

---
- name: Example playbook
  hosts: localhost
  tasks:
    - name: Password policy for AWS account
      community.aws.iam_password_policy:
        state: present
        min_pw_length: 8
        require_symbols: false
        require_numbers: true
        require_uppercase: true
        require_lowercase: true
        allow_pw_change: true
        pw_reuse_prevent: 5
        pw_expire: false

Mitigation / Fix

---
- name: Example playbook
  hosts: localhost
  tasks:
    - name: Password policy for AWS account
      community.aws.iam_password_policy:
        state: present
        min_pw_length: 8
        require_symbols: true
        require_numbers: true
        require_uppercase: true
        require_lowercase: true
        allow_pw_change: true
        pw_max_age: 60
        pw_reuse_prevent: 5
        pw_expire: false