The AWS IAM Team has released a new credential lifecycle management features that might save you some time from enforcing security best practices for IAM users.
New IAM Features
If you’re working in a corporate IT department, you may find yourself in the situation of doing some monkey job just to enforce security compliance standards. So, every 3 months (as recommended by AWS) you have to go through the IAM users created (usually, way too many) and start rotating the passwords. The process is difficult, just because everything is asynchronous. Your availability mostly certainly doesn’t correspond with their availability and if something doesn’t burn.. well.. why bother respecting the security compliance.
Now that AWS has the Password Policy section, the administrators can enforce mandatory password rotation periods ranging from 1 day to 3 years. 15 days before the password expires, the user is notified and if no action is taken the user needs to reset their passwords.
Just by looking at the options, I’m realising that this is a pretty standard corporate feature, probably backed up by lots of requests and I don’t see a security improvement. Requiring one uppercase letter, one number, one alphanumeric and so on, is the hacker’s heaven. Knowing that most people have the first letter in uppercase, that the password is at least 8 characters, the number is at the end, and the non-alphanumeric character is right near the number will drastically reduce the time needed for a brute force attack. It’s just sad that this corporate shit is perpetuating year after year without any improvement.
Requiring users to create a new password at next sign-in is the most important one in my opinion. Today, that requires manually following up with the user to ensure that she’s completed the reset. Now when you manage a user’s password in the console, you can check a box, as shown below, to ensure that the user is required to reset her password the next time she signs into AWS. Ops team WIN! ( no, i’m not an Ops)
Yes, you can generate a credential report that lists your IAM users and the status of their AWS security. Having a report that helps you identify (and probably block) the users that don’t have MFA enabled yet is cool, because it saves you from custom made scripts. A cron job that fetches the report and automatically notifies the users that they have a couple of days until they’re account is blocked if don’t enable the MFA is pretty neat.
I’m still waiting for lockout on login attempt failure, which is currently not supported. There are no reports about vulnerabilities in this area, but it’s a safe bet against feature hacking techniques.Follow @bytearrays