Weak Password Policy - 'Minimum Password Length'

This plugin guarantees that a password with at least a minimum number of characters is necessary.

Risk Level: Medium

Description: 

This plugin guarantees that a password with at least a minimum number of characters is necessary. A good password policy ensures minimum duration, expiry, reuse, and use of symbols.

PingSafe strongly recommends increasing the minimum length requirement for the password policy.

About the Service :

AWS ID and Access Management (IAM) allows you to securely manage access to AWS services and resources. With IAM, AWS users and groups can be established and managed and permissions used to enable access by AWS resources and prohibit them.

We can discover and adjust the rules so that only the services are accessible. We can thus adhere better to the less privileged principle.

Impact : 

The enforcement of the AWS IAM password's strength, pattern, and rotation are critical when it comes to keeping your AWS account safe and secure.

The absence of a strong password policy will increase the risk of password guessing and brute-forcing.

Steps to reproduce :

  1. Login to AWS Management Console.
  2. Navigate to the IAM dashboard.
    https://console.aws.amazon.com/iam 
  3. Select Account Settings under Access Management.
  4. This page displays a section named Password policy which shows the password policy of the account.
  5. The minimum password length should be 14 characters. By default, the password length is 10 characters. But in this account, the minimum password length is 8 characters. This clearly states that the password policy is weak.
  6. Repeat steps for other accounts as well.

Steps for remediation :

  1. Login to AWS Management Console.
  2. Navigate to the IAM dashboard.
    https://console.aws.amazon.com/iam 
  3. Select Account Settings under Access Management.
  4. This page displays a section named Password policy which shows the password policy of the account.
  5. The minimum password length should be 14 characters. By default, the password length is 10 characters. But in this account, the minimum password length is 8 characters. This clearly states that the password policy is weak.
  6. Select the Change password policy button. In the Set Password Policy tab that appears enter the minimum password length characters to be 14 and then click on Save changes.
  7. Repeat steps for other accounts with the same problem as well.

References: