Detections
Analytics

Ensure that initial login requires password reset for AWS IAM Users

HIGH

Description

AWS IAM users may have a login password configured for first time use. It is advisable to reset the password on the first login.

Remediation

Forced password reset for AWS IAM users can be enabled and managed in the AWS IAM Console.

In AWS Console -

  1. Sign in to the AWS Console and go to the IAM console.
  2. Choose Users in the navigation pane and select a user to edit.
  3. Select Security Credentials.
  4. Choose Enable Console Access button and select enable.
  5. Choose the option User must create new password at next sign-in and select Apply.

When creating a new user:

  1. Sign in to the AWS Console and go to the IAM console.
  2. Choose Users in the navigation pane.
  3. Select Add user.
  4. Choose the option Provide user access to the AWS Management Console.
  5. Select next and choose Create User.

In Terraform -

  1. In the aws_iam_user_login_profile resource, set the password_reset_required field to true. This sets the reset policy for the initial resource creation and will only require users to reset their passwords on the first login.

References:
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_login_profile

Policy Details

Rule Reference ID: AC_AWS_0426
CSP: AWS
Remediation Available: Yes
Domain: Compliance Validation
Resource: aws_iam_user_login_profile
Resource Category: Identity and Access Management (IAM)
Resource Type: Policy

Frameworks