Setting an Account Password Policy for IAM Users (part 1)
To read part 2, please click here
Rules for Setting a Password Policy
Although most of the password policy settings are enforced when next time the users change their passwords, some of the settings are enforced immediately, for example:
- Whenever the minimum length and character type requirements change. Users are not required to change their existing passwords, even if they don't stick to the updated password policy.
- Whenever a password expiration period is set; so, if you set a password for 90 days, then, the password older than 90 days of all the IAM users will get expired and needed to changed the next time they sign-in.
Permissions Required to Set a Password Policy
The following password policy actions can be included in an IAM policy:
- iam: GetAccountPasswordPolicy- Enables the entity to view the password policy for their account.
- iam: DeleteAccountPasswordPolicy- Enables the entity to delete the custom password policy for their account and revert to the default password policy.
- iam: AccountPasswordPolicy- Enables the entity to create or change the custom password policy for their account.
Custom Password Policy Options
You can specify the following conditions to configure a custom password policy for your account:
- Password minimum length- It should be minimum 6 characters and maximum 128 characters.
- Password strength- You can choose any of the given checkboxes to specify the strength of your IAM user passwords; it should require- at least one uppercase Latin alphabet (A-Z), at least one lowercase letter from Latin alphabet (a-z), at least one number, at least one nonalphanumeric character like ! @ # % $ ^ & * ( ) _ + - = { } [ ] |.
- Enable password expiration- A validity of IAM user passwords between 1 and 1095 days can be set.
- Password expiration requires administrator reset- This one can prevent IAM users from using the AWS Management Console to update their own passwords after the password expires. However, before that, you have to confirm that your AWS account has more than one user administrative permissions to reset IAM user passwords.\
- Allow users to change their own password- Permission can be granted to all the IAM users in your account to change their own password. However, this one don't attach permissions policy to each user, rather they are applied at the account-level for all users by IAM.
- Prevents password reuse- Reuse of a specified number of previous passwords can be prevented by simply defining a minimum of 1 and a maximum of 24 number of old passwords that can't be repeated.
To read part 2, please click here
Comments
Post a Comment