Skip to content
/ iampassword Public

Set IAM Password Policy according to AWS Foundational Security Best Practices Standard

License

Apache-2.0 license
0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

hassantahhan/iampassword

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

25 Commits
LICENSE
LICENSE
 
 
README.md
README.md
 
 
cloudformation.yml
cloudformation.yml
 
 
handler.py
handler.py
 
 
requirements.txt
requirements.txt
 
 
test.py
test.py
 
 

Repository files navigation

Overview

Set IAM Password Policy for all your AWS accounts according to AWS Foundational Security Best Practices standard, which states that "password policies for IAM users should have strong configurations".
https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#fsbp-iam-7

Notes:

  • AWS highly recommends as a best practice that instead of creating IAM users to use federation, via AWS SSO.
  • This solution sets the minimum requirements to pass AWS Security Hub checks - set other parameters as required.
  • Consider implemeting a Service Control Policy (SCP) to disallow linked accounts from resetting IAM Password Policies.

Environment

The Lambda function has no external dependencies other than Python 3.9 and Boto3, which is the AWS SDK for Python. The Lambda function requires access to action (iam:UpdateAccountPasswordPolicy) to run. The suggested timeout is 10 seconds.

Deployment

You can deploy the Lambda function using AWS CloudFormation (check cloudformation.yml file). Also, you can use AWS CloudFormation StackSets to update the password policy across multiple accounts or the entire AWS Organization.

Governance

Once the IAM Passowrd Policies across your linked accounts are updated according to your organization standard, you can implement a Service Control Policy (see the example below) to deny further access to the action, IAM:UpdateAccountPasswordPolicy. Note that Service Control Policies don't affect users or roles in the management account. 

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyUpdateAccountPasswordPolicy",
      "Effect": "Deny",
      "Action": "iam:UpdateAccountPasswordPolicy",
      "Resource": "*"
    }
  ]
}

Testing

The core logic (other than the handler method) can be tested locally without the need for Lambda deployment. I provided two files (test.py and requirements.txt) to help you install and run the code locally. You still need to have your AWS access credentials in .aws\credentials for the test script to work.

If you like to activly monitor your IAM user permissions for the IAM action, UpdateAccountPasswordPolicy, consider using the IAM Canary concept publish earlier on github.
https://github.com/hassantahhan/iamcanary

Cost

The total cost of the Lambda function is estimated to be $0.0 USD/month/account.

About

Set IAM Password Policy according to AWS Foundational Security Best Practices Standard

Topics

aws iam password users policy

Resources

Readme

License

Apache-2.0 license
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Languages