AWS supports the enforcement of password policies. We can ask for example passwords to be at least 16 characters long and include numbers, symbols, lowercase, and capital letters. We will create one using the AWS CLI.
The easiest way to create (or update) such a policy is to use the --generate-cli-skeleton option to generate the JSON template for the parameters that the policy takes. We will run the command and redirect its output to a file called password-policy as follows:
$ aws iam update-account-password-policy
--generate-cli-skeleton > password-policy
We can now edit the file, which at first looks like this:
{
"MinimumPasswordLength": 0,
"RequireSymbols": true,
"RequireNumbers": true,
"RequireUppercaseCharacters": true,
"RequireLowercaseCharacters": true,
"AllowUsersToChangePassword": true,
"MaxPasswordAge": 0,
"PasswordReusePrevention": 0,
"HardExpiry": true
}
The default policy already requires the use of symbols, numbers, uppercase, and lowercase characters. We will simply increase the MinimumPasswordLength value to 16, MaxPasswordAge to 90 to force users to change their password every quarter, and PasswordReusePrevention to 3 to encourage users not to reuse their old passwords.
Once the changes are made, we can save the file and update the account password policy as follows:
$ aws iam update-account-password-policy
--cli-input-json file://password-policy
Finally, we can validate that the new policy is present and reflectss the data present in the file as follows:
$ aws iam get-account-password-policy
{
"PasswordPolicy": {
"AllowUsersToChangePassword": true,
"RequireLowercaseCharacters": true,
"RequireUppercaseCharacters": true,
"MinimumPasswordLength": 16,
"RequireNumbers": true,
"PasswordReusePrevention": 3,
"HardExpiry": true,
"RequireSymbols": true,
"MaxPasswordAge": 90,
"ExpirePasswords": true
}
}
From that point on, new user accounts or existing ones changing their passwords will have to comply with the preceding policy.
We will now look into creating groups to organize our users better.