Wednesday, June 8, 2016

AWS "one-liners": Configure AWS password policy in one shot

"As soon as you have passwords you need a password policy" - © captain obvious

Limitations:
AWS allows you to have only one password policy for whole AWS account.

You can configure it using web GUI or, if you prefer to have all your infrastructure and security as code, using boto and python:

#!/usr/bin/python

import boto3
import pprint

boto3.setup_default_session(profile_name='staging')
iam=boto3.resource('iam')
account_password_policy = iam.AccountPasswordPolicy()
response = account_password_policy.update(
    MinimumPasswordLength=12,
    RequireSymbols=True,
    RequireNumbers=True,
    RequireUppercaseCharacters=True,
    RequireLowercaseCharacters=True,
    AllowUsersToChangePassword=True,
    MaxPasswordAge=90,
    PasswordReusePrevention=12,
    HardExpiry=False
)

pprint.pprint(response)


You can find more details about particular password policy parameters here:

http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html

3 comments:

  1. Ihor, I always use IAM accounts with KEY/SECRET IDs. I am confused. Should I ignore this article with my way of AWS credentials?

    ReplyDelete
    Replies
    1. You need password policy to enforce password complexity and retention on Web GUI user. If you are using only API keys or you are only one user in your AWS account - you don't need password policy to enforce yourself to use complex passwords :-)

      Delete
  2. For AWS securty:
    - Use credentials report
    - Use a SSO for multiple accounts access
    - Enable cloudtrail logging
    - Use MFA.
    - make sure to do distinction between real versus app user.
    - make sure to disactive password for app user

    ReplyDelete