AWS Security Blog

New IAM Features: Enhanced Password Management and Credential Reports

The AWS IAM team recently released new credential lifecycle management features that enable AWS account administrators to define and enforce security best practices for IAM users.

We’ve expanded IAM password policies to enable self-service password rotation, on top of existing options to enforce password complexity. Furthermore, you can download reports for better visibility into the status of your IAM users’ AWS security credentials. These enhancements are designed to help you comply with security standards such as PCI DSS v2.0, ISO 27001, and FedRAMP.

In this blog post, I’ll discuss a number of use cases enabled by this release. 

Use case 1

I want my IAM users to periodically change their passwords.

This release adds password rotation features required by many corporate IT departments and security compliance standards. Rather than rely on users to actively remember to change passwords, you can now set mandatory password rotation periods ranging from 1 day to 3 years. Users are notified starting 15 days before their passwords expire that they must soon change their passwords. If their passwords expire, IAM requires them to reset their password before it allows them to access the AWS Management Console. Alternatively, you can lock out users whose passwords have expired, meaning that they must contact your AWS account administrator to get a new password. For added security, you can specify that your IAM users will not be able to re-use up to 24 previous passwords.

The following screenshot shows the new features on the updated Password Policy page.

Screenshot showing the new features on the updated Password Policy page

Use case 2

I want to make sure that a user resets her password the next time she signs in.

A common scenario is to create a new user, assign an admin-generated password, and then have that user reset her own password. Today, that requires manually following up with the user to ensure that she’s completed the reset. Now when you manage a user’s password in the console, you select a check box, as shown in the following screenshot, to ensure that the user is required to reset her password the next time she signs into AWS.

Screenshot of ensuring that the user is required to reset her password the next time she signs in to AWS

Use case 3

I want evidence that my users are following security best practices, such as requiring MFA for administrative-level users.

You can generate a credential report that lists your IAM users and the status of their AWS security credentials and download it as a CSV file. These reports contain details such as whether MFA is activated, when their password was last rotated, and more. You can generate a new report as often as every 4 hours.

You can download reports interactively via the console or programmatically using the IAM API. (Support is coming soon for downloading the reports using the AWS CLI.)

The table below details the contents of a report.

Field Name Description
IAM_user_name The friendly name of the IAM user
Arn AWS ARN of IAM user
creation_date Creation date of IAM user
password_enabled Whether the user has a password
password_last_rotated Date and time when the user’s password was last changed
password_next_rotation Date and time when the user’s password must be changed
MFA_active Whether MFA is active for the user
access_key_1_active Whether the user’s first access key is active, inactive, or not present
access_key_1_last_rotated The date and time when the user’s first access key was last changed
access_key_2_active Whether the user’s second access key is active, inactive, or not present
access_key_2_last_rotated The date and time when the user’s second access key was last changed
X509_cert_1_active Whether the user’s first signing certificate is active, inactive, or not present
X509_cert_1_last_rotated The date and time when the user’s signing certificate was last changed
X509_cert_2_active Whether the user’s second signing certificate is active, inactive, or not present
X509_cert_2_last_rotated The date and time when the user’s second signing certificate was last changed

As a reminder, IAM is a feature of your AWS account and is available at no additional cost. Get started today with IAM password policies or credential reports by visiting the IAM console.

To learn more about these new features, check out the Security Credentials section of the AWS General Reference and the IAM User Guide.

-Kai