New IAM Features: Enhanced Password Management and Credential Reports

The AWS IAM team recently released new credential lifecycle management features that enable AWS account administrators to define and enforce security best practices for IAM users. 

We’ve expanded IAM password policies to enable self-service password rotation, on top of existing options to enforce password complexity. Furthermore, you can download reports for better visibility into the status of your IAM users’ AWS security credentials. These enhancements are designed to help you comply with security standards such as PCI DSS v2.0, ISO 27001, and FedRAMP.

In this blog post, I’ll discuss a number of use cases enabled by this release. 

Use case 1: I want my IAM users to periodically change their passwords.

This release adds password rotation features required by many corporate IT departments and security compliance standards. Rather than rely on users to actively remember to change passwords, you can now set mandatory password rotation periods ranging from 1 day to 3 years. Users are notified starting 15 days before their passwords expire that they must soon change their passwords. If their passwords expire, IAM requires them to reset their password before it allows them to access the AWS Management Console. Alternatively, you can lock out users whose passwords have expired, meaning that they must contact your AWS account administrator to get a new password. For added security, you can specify that your IAM users will not be able to re-use up to 24 previous passwords.

The following figure shows the new features in the updated Password Policy page.

Use case 2: I want to make sure that a user resets her password the next time she signs in.

A common scenario is to create a new user, assign an admin-generated password, and then have that user reset her own password. Today, that requires manually following up with the user to ensure that she’s completed the reset. Now when you manage a user's password in the console, you can check a box, as shown below, to ensure that the user is required to reset her password the next time she signs into AWS.

Use case 3: I want evidence that my users are following security best practices, such as requiring MFA for administrative-level users.

You can generate a credential report that lists your IAM users and the status of their AWS security credentials and download it as a CSV file. These reports contain details such as whether MFA is activated, when their password was last rotated, and more. You can generate a new report as often as every 4 hours.

You can download reports interactively via the console or programmatically using the IAM API. (Support is coming soon for downloading the reports using the AWS CLI.)

The table below details the contents of a report.

Field Name

Description

IAM_user_name

The friendly name of the IAM user

Arn

AWS ARN of IAM user

creation_date

Creation date of IAM user

password_enabled

Whether the user has a password

password_last_rotated

Date and time when the user's password was last changed

password_next_rotation

Date and time when the user's password must be changed

MFA_active

Whether MFA is active for the user

access_key_1_active

Whether the user's first access key is active, inactive, or not present

access_key_1_last_rotated

The date and time when the user's first access key was last changed

access_key_2_active

Whether the user's second access key is active, inactive, or not present

access_key_2_last_rotated

The date and time when the user's second access key was last changed

X509_cert_1_active

Whether the user's first signing certificate is active, inactive, or not present

X509_cert_1_last_rotated

The date and time when the user's signing certificate was last changed

X509_cert_2_active

Whether the user's second signing certificate is active, inactive, or not present

X509_cert_2_last_rotated

The date and time when the user's second signing certificate was last changed

As a reminder, IAM is a feature of your AWS account and is available at no additional cost. Get started today with IAM password policies or credential reports by visiting the IAM console.

To learn more about these new features, check out the Security Credentials section of the AWS General Reference and the IAM User Guide.

-Kai

Comments