IAM Password policy has no reuse prevention

ID

aws_iam_password_reuse

Severity

low

Vendor

AWS

Resource

IAM

Tags

reachable

Description

IAM Password policy has no reuse prevention. If the password can be repeated, the chance of the password being compromised is higher.

The minimum different password should be equal or greater than 5. You can modify this number by the minimum_different_passwords property.

To fix it, you must configure pw_reuse_prevent >= 5.

Learn more about this topic at AWS IAM password policy.

Examples

---
- name: Example playbook
  hosts: localhost
  tasks:
    - name: Password policy for AWS account
      community.aws.iam_password_policy:
        state: present
        min_pw_length: 8
        require_symbols: true
        require_numbers: true
        require_uppercase: true
        require_lowercase: true
        allow_pw_change: true
        pw_reuse_prevent: 0
        pw_expire: false

Mitigation / Fix

---
- name: Example playbook
  hosts: localhost
  tasks:
    - name: Password policy for AWS account
      community.aws.iam_password_policy:
        state: present
        min_pw_length: 8
        require_symbols: true
        require_numbers: true
        require_uppercase: true
        require_lowercase: true
        allow_pw_change: true
        pw_max_age: 60
        pw_reuse_prevent: 5
        pw_expire: false