Drata validates that AWS IAM password policy is configured to prevent reuse of any of the last 24 passwords. IAM password policies can prevent the reuse of a given password by the same user. It is recommended that the password policy prevent the reuse of passwords.
Preventing password reuse increases account resiliency against brute force login
attempts.
ASSOCIATED DRATA CONTROL
This test is part of the Password History Enforcement control (DCF-350) that ensures system configuration settings are in place to prevent password reuse in accordance with company policy and compliance requirements.
WHAT TO DO IF A TEST FAILS
If Drata finds that the current AWS IAM password policy configurations are not set to prevent the use of any of the last 24 passwords, the test will fail.
STEPS TO REMEDIATE
Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings).
Go to IAM Service on the AWS Console.
Click on Account Settings on the left pane.
Check 'Prevent password reuse'.
Set 'Number of passwords to remember' to 24.
Center for Internet Security (CIS)
This test aligns with the Center for Internet Security’s (CIS) foundation benchmarks which provides prescriptive guidance for establishing a secure baseline configuration for Amazon Web Services. To learn more, refer to the Center for Internet Security (CIS) section.