IAM password policy does not prevent reuse of previously used passwords Affecting IAM service in AWS

Severity Framework Snyk CCSS

Rule category IAM / Passwords

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Frameworks

AWS-Well-Architected CIS-AWS CIS-Controls CSA-CCM HIPAA ISO-27001 NIST-800-53 PCI-DSS SOC-2

Snyk ID SNYK-CC-00012
credit Snyk Research Team

Report a new misconfiguration Found a mistake?

Description

IAM password policies can prevent the reuse of a given password by the same user. Preventing password reuse increases account resiliency against brute force login attempts.

How to fix?

Set the aws_iam_account_password_policy password_reuse_prevention field to 24 to ensure the previous 24 passwords cannot be reused.

Example Configuration

resource "aws_iam_account_password_policy" "example" {
  password_reuse_prevention = 24
  # other required fields here
}

References

Password Policy for IAM Users