> ## Documentation Index
> Fetch the complete documentation index at: https://cloudanix.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Complex Password Policy Should Be Present

### More Info:

Password policy should be complex enough so that users can set passwords which are not easy to guess and crack.

### Risk Level

Medium

### Address

Security

### Compliance Standards

HIPAA, ISO27001, PCIDSS, GDPR, CISAWS, CBP, NIST, HITRUST, AWSWAF, SOC2, NISTCSF

### Triage and Remediation

<Tabs>
  <Tab title="Prevention">
    ### How to Prevent

    <AccordionGroup>
      <Accordion title="Using Console" defaultOpen="true">
        To prevent the misconfiguration of not having a complex password policy in AWS IAM using the AWS Management Console, follow these steps:

        1. **Navigate to IAM Dashboard:**
           * Sign in to the AWS Management Console.
           * In the top navigation bar, click on "Services" and then select "IAM" under the "Security, Identity, & Compliance" section.

        2. **Access Account Settings:**
           * In the IAM dashboard, on the left-hand side, click on "Account settings."

        3. **Set Password Policy:**
           * In the "Password policy" section, click on the "Set password policy" button.
           * Configure the password policy settings to enforce complexity. Ensure you enable options such as:
             * Require at least one uppercase letter.
             * Require at least one lowercase letter.
             * Require at least one number.
             * Require at least one non-alphanumeric character (e.g., !, @, #, \$).

        4. **Save Changes:**
           * After configuring the desired settings, click on the "Save changes" button to apply the new password policy.

        By following these steps, you can ensure that a complex password policy is enforced for IAM users in your AWS account.
      </Accordion>

      <Accordion title="Using CLI">
        To prevent the misconfiguration of not having a complex password policy in AWS IAM using the AWS CLI, you can follow these steps:

        1. **Set Minimum Password Length:**
           Ensure that the password policy enforces a minimum length for passwords. This helps in making passwords harder to guess.

           ```sh theme={null}
           aws iam update-account-password-policy --minimum-password-length 12
           ```

        2. **Require at Least One Uppercase Letter:**
           Enforce the inclusion of at least one uppercase letter in the password to increase complexity.

           ```sh theme={null}
           aws iam update-account-password-policy --require-uppercase-characters
           ```

        3. **Require at Least One Lowercase Letter:**
           Enforce the inclusion of at least one lowercase letter in the password to ensure a mix of character cases.

           ```sh theme={null}
           aws iam update-account-password-policy --require-lowercase-characters
           ```

        4. **Require at Least One Number and One Special Character:**
           Ensure that the password includes at least one numeric digit and one special character to further enhance security.

           ```sh theme={null}
           aws iam update-account-password-policy --require-numbers --require-symbols
           ```

        By executing these commands, you can enforce a complex password policy in AWS IAM, thereby preventing the misconfiguration of having weak password policies.
      </Accordion>

      <Accordion title="Using Python">
        To prevent the misconfiguration of not having a complex password policy in IAM using Python scripts, you can follow these steps for AWS, Azure, and GCP:

        ### AWS (Boto3)

        1. **Install Boto3**:
           Ensure you have the Boto3 library installed. You can install it using pip if you haven't already:
           ```bash theme={null}
           pip install boto3
           ```

        2. **Create a Python Script to Set Password Policy**:
           Use the following script to set a complex password policy in AWS IAM:
           ```python theme={null}
           import boto3

           # Create an IAM client
           iam = boto3.client('iam')

           # Define the password policy
           password_policy = {
               'MinimumPasswordLength': 12,
               'RequireSymbols': True,
               'RequireNumbers': True,
               'RequireUppercaseCharacters': True,
               'RequireLowercaseCharacters': True,
               'AllowUsersToChangePassword': True,
               'ExpirePasswords': True,
               'MaxPasswordAge': 90,
               'PasswordReusePrevention': 5
           }

           # Set the password policy
           response = iam.update_account_password_policy(**password_policy)
           print("Password policy updated:", response)
           ```

        ### Azure (Azure SDK for Python)

        1. **Install Azure Identity and Management Libraries**:
           Ensure you have the Azure libraries installed:
           ```bash theme={null}
           pip install azure-identity azure-mgmt-authorization
           ```

        2. **Create a Python Script to Set Password Policy**:
           Use the following script to set a complex password policy in Azure AD:
           ```python theme={null}
           from azure.identity import DefaultAzureCredential
           from azure.mgmt.authorization import AuthorizationManagementClient

           # Initialize the Azure credentials and client
           credential = DefaultAzureCredential()
           subscription_id = 'your-subscription-id'
           client = AuthorizationManagementClient(credential, subscription_id)

           # Define the password policy (Note: Azure AD password policies are managed via Azure AD B2C or Conditional Access Policies)
           # This is a placeholder as Azure AD password policies are not directly managed via the SDK
           password_policy = {
               'minimum_length': 12,
               'require_uppercase': True,
               'require_lowercase': True,
               'require_numbers': True,
               'require_symbols': True,
               'max_age_days': 90,
               'password_reuse_prevention': 5
           }

           # Placeholder for setting the password policy
           # Azure AD password policies are typically set via the Azure portal or PowerShell
           print("Password policy should be set via Azure AD B2C or Conditional Access Policies.")
           ```

        ### GCP (Google Cloud Client Library for Python)

        1. **Install Google Cloud IAM Library**:
           Ensure you have the Google Cloud IAM library installed:
           ```bash theme={null}
           pip install google-cloud-iam
           ```

        2. **Create a Python Script to Set Password Policy**:
           Use the following script to set a complex password policy in GCP IAM:
           ```python theme={null}
           from google.cloud import iam_v1

           # Initialize the IAM client
           client = iam_v1.IAMClient()

           # Define the password policy (Note: GCP IAM does not directly support password policies, typically managed via G Suite)
           password_policy = {
               'minimum_length': 12,
               'require_uppercase': True,
               'require_lowercase': True,
               'require_numbers': True,
               'require_symbols': True,
               'max_age_days': 90,
               'password_reuse_prevention': 5
           }

           # Placeholder for setting the password policy
           # GCP IAM password policies are typically managed via G Suite Admin SDK
           print("Password policy should be set via G Suite Admin SDK.")
           ```

        ### Summary

        * **AWS**: Use Boto3 to set a complex password policy directly.
        * **Azure**: Use Azure SDK for Python, but note that password policies are typically managed via Azure AD B2C or Conditional Access Policies.
        * **GCP**: Use Google Cloud IAM library, but note that password policies are typically managed via G Suite Admin SDK.

        These scripts provide a starting point for ensuring complex password policies are enforced in your cloud environments.
      </Accordion>
    </AccordionGroup>
  </Tab>

  <Tab title="Cause">
    ### Check Cause

    <AccordionGroup>
      <Accordion title="Using Console" defaultOpen="true">
        1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).

        2. In the navigation pane, choose "Account Settings".

        3. In the "Password Policy" section, you can see the details of the current password policy.

        4. Check if the password policy is complex enough. It should include requirements for a minimum password length, require at least one uppercase letter, one lowercase letter, one number, and one non-alphanumeric character. Also, check if it requires password rotation every 90 days and does not allow password reuse.
      </Accordion>

      <Accordion title="Using CLI">
        1. Install and configure AWS CLI: Before you can start using AWS CLI, you need to install it on your local machine. You can download it from the official AWS website. After installation, you need to configure it with your AWS account credentials. You can do this by running the command `aws configure` and then entering your AWS Access Key ID, Secret Access Key, Default region name, and Default output format when prompted.

        2. List IAM Password Policies: Use the AWS CLI command `aws iam get-account-password-policy` to retrieve the account's password policy. This command returns details about the account's password policy, including minimum password length, whether it requires uppercase characters, lowercase characters, numbers, and special characters.

           Command:

           ```
           aws iam get-account-password-policy
           ```

        3. Analyze the output: The output of the command will be in JSON format. You need to check the following fields: `MinimumPasswordLength`, `RequireUppercaseCharacters`, `RequireLowercaseCharacters`, `RequireNumbers`, and `RequireSymbols`. If the `MinimumPasswordLength` is less than 14, or any of the `Require*` fields are set to false, then the password policy is not complex enough.

        4. Automate the process: You can automate this process by writing a Python script that uses the AWS SDK (boto3) to retrieve and analyze the password policy. The script would use the `get_account_password_policy` method from the `IAM` client, and then check the same fields as in step 3. If the policy is not complex enough, the script could print a warning message or take some other action.
      </Accordion>

      <Accordion title="Using Python">
        To check if a complex password policy is present in IAM using Python scripts, you can use the Boto3 library, which allows you to write software that makes use of services like Amazon S3, Amazon EC2, etc. Here are the steps:

        1. **Import Boto3 and Create IAM Client:**
           First, you need to import the Boto3 library and create an IAM client. This client will allow you to interact with the IAM service.

           ```python theme={null}
           import boto3

           # Create IAM client
           iam = boto3.client('iam')
           ```

        2. **Get Account Password Policy:**
           Next, you need to get the account password policy. This can be done using the `get_account_password_policy` method.

           ```python theme={null}
           try:
               response = iam.get_account_password_policy()
           except Exception as e:
               print("No password policy found.")
           ```

        3. **Check Password Policy:**
           Now, you can check the password policy. You should check if the policy requires a minimum password length, requires at least one uppercase letter, requires at least one lowercase letter, requires at least one number, and requires at least one non-alphanumeric character.

           ```python theme={null}
           if 'PasswordPolicy' in response:
               policy = response['PasswordPolicy']
               if policy['MinimumPasswordLength'] < 14 or not policy['RequireUppercaseCharacters'] or not policy['RequireLowercaseCharacters'] or not policy['RequireNumbers'] or not policy['RequireSymbols']:
                   print("Password policy is not complex enough.")
           else:
               print("No password policy found.")
           ```

        4. **Print the Result:**
           Finally, you can print the result. If the password policy is not complex enough, you will get a message saying so. If no password policy is found, you will also get a message.

           ```python theme={null}
           print("Password policy is complex enough.")
           ```

        Remember to replace the conditions in the if statement with the complexity requirements that you want to enforce.
      </Accordion>
    </AccordionGroup>
  </Tab>

  <Tab title="Remediation">
    ### Remediation

    <AccordionGroup>
      <Accordion title="Using Console" defaultOpen="true">
        To remediate the complex password policy for AWS using AWS console, follow the below steps:

        1. Log in to the AWS Management Console.
        2. Navigate to the IAM service.
        3. Select the account that requires the complex password policy.
        4. Click on the "Password Policy" tab.
        5. Update the password policy by setting the following parameters:
           * Minimum password length to 8 or more characters.
           * Require at least one uppercase letter.
           * Require at least one lowercase letter.
           * Require at least one number.
           * Require at least one non-alphanumeric character.
        6. Click on the "Apply password policy" button to save the changes.

        After following these steps, the complex password policy will be enabled for the AWS account.

        #
      </Accordion>

      <Accordion title="Using CLI">
        To remediate this misconfiguration in AWS using AWS CLI, follow these steps:

        1. Open the AWS CLI on your local machine.

        2. Run the following command to update the password policy:

        ```
        aws iam update-account-password-policy --minimum-password-length 12 --require-symbols --require-numbers --require-uppercase-characters --require-lowercase-characters --allow-users-to-change-password --max-password-age 90 --password-reuse-prevention 24
        ```

        This command sets the minimum password length to 12 characters and requires symbols, numbers, uppercase and lowercase characters in the password. It also allows users to change their passwords, sets the maximum password age to 90 days, and prevents users from reusing their last 24 passwords.

        3. Verify that the password policy has been updated by running the following command:

        ```
        aws iam get-account-password-policy
        ```

        This command will return the current password policy for your AWS account.

        4. Repeat this process for all AWS accounts in your organization to ensure that all accounts have a complex password policy in place.

        By following these steps, you can remediate the misconfiguration of not having a complex password policy in AWS.
      </Accordion>

      <Accordion title="Using Python">
        To remediate the complex password policy misconfiguration in AWS using Python, you can follow the below steps:

        1. Import the necessary libraries for AWS SDK and Boto3:

        ```
        import boto3
        from botocore.exceptions import ClientError
        ```

        2. Create a boto3 client for AWS Identity and Access Management (IAM):

        ```
        iam_client = boto3.client('iam')
        ```

        3. Define the password policy that you want to enforce. For example, you can enforce a password policy that requires a minimum password length of 12 characters, at least one uppercase letter, one lowercase letter, one number, and one special character:

        ```
        password_policy = {
            'MinimumPasswordLength': 12,
            'RequireUppercaseCharacters': True,
            'RequireLowercaseCharacters': True,
            'RequireNumbers': True,
            'RequireSymbols': True
        }
        ```

        4. Update the password policy for your AWS account using the `update_account_password_policy` method of the IAM client:

        ```
        try:
            response = iam_client.update_account_password_policy(**password_policy)
            print('Password policy updated successfully.')
        except ClientError as e:
            print(e)
        ```

        5. Verify that the password policy has been updated by retrieving the current password policy using the `get_account_password_policy` method of the IAM client:

        ```
        try:
            response = iam_client.get_account_password_policy()
            print(response['PasswordPolicy'])
        except ClientError as e:
            print(e)
        ```

        This should remediate the complex password policy misconfiguration in AWS using Python.
      </Accordion>
    </AccordionGroup>
  </Tab>
</Tabs>

### Additional Reading:

* [https://d1.awsstatic.com/whitepapers/compliance/AWS\_CIS\_Foundations\_Benchmark.pdf](https://d1.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf)
