Password Policy Missing- 'Require Symbols'

This plugin ensures that the password policy needs symbols to be used.

Risk Level: Medium

Description: 

This plugin ensures that the password policy needs symbols to be used. A strong password policy requires minimum duration, expiry time, reuse, and use of symbols.

PingSafe strongly recommends updating the password policy to require the use of symbols.

About the Service :

AWS ID and Access Management (IAM) allows you to securely manage access to AWS services and resources. With IAM, AWS users and groups can be established and managed and permissions used to enable access by AWS resources and prohibit them.

We can discover and adjust the rules so that only the services are accessible. We can thus adhere better to the less privileged principle.

Impact : 

The enforcement of the AWS IAM password's strength, pattern, and rotation are critical when it comes to keeping your AWS account safe and secure.

The absence of a strong password policy will increase the risk of password guessing and brute-forcing.

Steps to reproduce :

  1. Login to AWS Management Console.
    https://console.aws.amazon.com/ 
  2. Navigate to the IAM dashboard.
    https://console.aws.amazon.com/iam 
  3. Select Account Settings under Access Management.
  4. This page displays a section named Password policy which shows the password policy of the account.
  5. The password should have at least one symbol which is not the case specified clearly in this password policy. This clearly states that the password policy is weak.
  6. Repeat steps for other accounts as well.

Steps for remediation :

  1. Login to AWS Management Console.
    https://console.aws.amazon.com/ 
  2. Navigate to the IAM dashboard.
    https://console.aws.amazon.com/iam 
  3. Select Account Settings under Access Management.
  4. This page displays a section named Password policy which shows the password policy of the account.
  5. The password should have at least one symbol which is not the case specified clearly in this password policy. This clearly states that the password policy is weak.
  6. Select the Change password policy button. In the Set Password Policy tab that appears check the Require at least one non-alphanumeric character (! @ # $ % ^ & * ( ) _ + - = [ ] { } | ') and then click on Save changes.
  7. Repeat steps for other accounts with the same problem as well.

References: