IAM user login profile does not enforce resetting the generated password Affecting IAM service in AWS

Snyk CCSS

IAM / Passwords

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Frameworks

CSA-CCM HIPAA NIST-800-53

Snyk ID SNYK-CC-00339
credit Snyk Research Team

Report a new misconfiguration Found a mistake?

Description

By not requiring the IAM user login profile to reset the generated password, it means that the creator of the password can still have access to the IAM user account.

How to fix?

Set the aws_iam_user_login_profile password_reset_required field to true.

Example Configuration

resource "aws_iam_user_login_profile" "valid" {
  user                    = "example"
  password_reset_required = true
}

Terraform

Resource: aws_iam_user_login_profile

References

Reset a user password