IAM Password is unchangeable in the policy

ID

aws_iam_password_unchangeable

Severity

low

Vendor

AWS

Resource

IAM

Tags

reachable

Description

IAM Password is unchangeable in the policy. If the users cannot change their password, the chance of the password being compromised is higher.

To fix it, you must configure allow_pw_change=true, the default value is false.

Learn more about this topic at AWS IAM password policy.

Examples

---
- name: Example playbook
  hosts: localhost
  tasks:
    - name: Password policy for AWS account
      community.aws.iam_password_policy:
        state: present
        min_pw_length: 8
        require_symbols: true
        require_numbers: true
        require_uppercase: true
        require_lowercase: true
        allow_pw_change: false
        pw_reuse_prevent: 0
        pw_expire: false

Mitigation / Fix

---
- name: Example playbook
  hosts: localhost
  tasks:
    - name: Password policy for AWS account
      community.aws.iam_password_policy:
        state: present
        min_pw_length: 8
        require_symbols: true
        require_numbers: true
        require_uppercase: true
        require_lowercase: true
        allow_pw_change: true
        pw_max_age: 60
        pw_reuse_prevent: 5
        pw_expire: false