DEV Community

neetu-mallan
neetu-mallan

Posted on

Write IAM Password Policy to enforce login passwords

In this blog we will learn how we can create a IAM Password policy & enforce every user to adhere to it. All the steps would be performed in the AWS CLI.

In the previous blog post, I had mentioned how to create a role & assign it to a user.

IAM user role with PowerUserAccess

I have used the same user here after renewing the session token(a session token created by a assume-role API call expires in 60 mins) The user has a createUser API access after assuming the role.

Step 1: Create an admin user for administrative purposes using command
aws iam create-user --user-name IAMAdmin --tags Key=Desc,Value=IAMUserForAccount

Image description

Step 2:Use the —query option to filter the query at the client side for specific policy names

aws iam list-policies --query ‘Policies[?PolicyName==AdministratorAccess]' —-use backticks for the string you are trying to search.

Attach the AdministratorAccess policy to the IAMAdmin user:
aws iam attach-user-policy —user-name IAMAdmin —policy-arn arn:aws:iam::aws:policy/AdministratorAccess

To filter policies using —query option refer to the below link to get understanding of how server side & client side filtering works & how JMES Syntax helps us to query info like getting Policy Arn's.

https://docs.aws.amazon.com/cli/latest/userguide/cli-usage-filter.html

Step 3: Create access keys for the admin user
aws iam create-access-key --user-name IAMAdmin --output text

STep 4: To create a password policy with 90 days expiration , mix of numbers, symbols,upper, lowercase & prevent reuse of password
aws iam update-account-password-policy --minimum-password-length 32 --require-symbols --require-numbers --require-lowercase-characters --require-uppercase-characters --allow-users-to-change-password --max-password-age 90 --password-reuse-prevention 1

To check if the IAM password policy has taken effect:
aws iam get-account-password-policy

Image description
Step 5: Generate a random password string that conforms to your policy needs

RANDOM_STRING=$(aws secretsmanager get-random-password --password-length 32 --require-each-included-type --output text --query RandomPassword)

Step 6:Create a login profile adhering to our random password for the user IAMAdmin
aws iam create-login-profile --user-name IAMAdmin --password $RANDOM_STRING

Login using the password & username & check if IAMAdmin has administrative access

Image description

Lets try creating a group & ensure that the any new user attached to the group will adhere to the password policy.

Step 7: Create a new group called QualityAssurance
aws iam create-group --group-name QualityAssurance

Attach the EC2ReadOnly Policy to this group
aws iam attach-group-policy --policy-arn arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess --group-name QualityAssurance

Step 8: Create a new user for this group
aws iam create-user --user-name Ben

Step 9:Add the user Ben to the QualityAssurance group
aws iam add-user-to-group --user-name Ben --group-name QualityAssurance

Step 10: Generate a random password string that violates our policy needs

RANDOM_STRING=$(aws secretsmanager get-random-password --password-length 16 --require-each-included-type --output text --query RandomPassword)

Step 11:Create a login profile adhering to our random password for the user named Ben
aws iam create-login-profile --user-name Ben --password $RANDOM_STRING

The step 11 fails with the error: Password policy violation : Password should be minimum length of 32 which proves that the password policy is enforced.

Lets generate random password which conforms to the IAM password policy & assign it to the user
RANDOM_STRING=$(aws secretsmanager get-random-password --password-length 32 --require-each-included-type --output text --query RandomPassword)

Step 12:Create a login profile for the user named Ben with the new random password
aws iam create-login-profile --user-name Ben --password $RANDOM_STRING

As Ben has EC2ReadOnly access, opening the EC2 console does not give any errors as opposed to the S3 access below

Image description

Image description

Thus creating a password policy & assigning it at the account level helps to ensure that any user created in the account follows the policy thus enabling security with user credentials.

This exercise has been inspired by the 2nd recipe in the AWS Cookbook.I have experimented further with the content.

Happy Learning!!

Top comments (0)