AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
Root Account Should Have Password Rotation
More Info:
Ensure that your root account password is rotated every few days.
Risk Level
Critical
Address
Security
Compliance Standards
AWSWAF
Triage and Remediation
Remediation
To remediate the misconfiguration “Root Account Should Have Password Rotation” for AWS, follow these steps:
- Log in to your AWS Management Console using your Root Account credentials.
- Click on your account name in the top right corner and select “My Security Credentials” from the dropdown menu.
- In the “Security Status” section, you will see a message that says “Password rotation for root account is recommended”. Click on the “Rotate now” button next to it.
- Follow the prompts to create a new password for your Root Account. Make sure to use a strong and unique password, and do not reuse any previous passwords.
- Once you have created a new password, click on the “Apply password policy now” button to enforce the new password policy for your Root Account.
- You will receive a confirmation message that your Root Account password has been rotated successfully.
Congratulations, you have now remediated the misconfiguration “Root Account Should Have Password Rotation” for AWS using the AWS console. It is recommended to set up a password rotation policy to ensure that your Root Account password is rotated automatically on a regular basis.
To remediate this misconfiguration for AWS using AWS CLI, follow these steps:
- Open the AWS CLI on your local machine and run the following command to rotate the root account password:
aws iam update-login-profile --user-name <root_account_username> --password <new_password> --password-reset-required
Replace <root_account_username>
with the username of your root account and <new_password>
with a new, strong password.
-
After running the above command, AWS will prompt you to reset the password the next time you log in to the root account. To do this, log in to your AWS Management Console using your root account credentials and reset the password when prompted.
-
Once you have successfully reset the password, you should create a policy to enforce password rotation for the root account. To do this, create a JSON file with the following content:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowRootPasswordRotation",
"Effect": "Allow",
"Action": "iam:UpdateLoginProfile",
"Resource": "arn:aws:iam::<account_id>:user/root",
"Condition": {
"DateGreaterThan": {
"aws:PasswordLastUsed": "90"
}
}
}
]
}
Replace <account_id>
with your AWS account ID.
- Save the JSON file and run the following command to create a new IAM policy:
aws iam create-policy --policy-name <policy_name> --policy-document file://<file_path>
Replace <policy_name>
with a name for your new policy and <file_path>
with the path to the JSON file you created in step 3.
- Attach the new policy to the root account by running the following command:
aws iam attach-user-policy --user-name <root_account_username> --policy-arn <policy_arn>
Replace <root_account_username>
with the username of your root account and <policy_arn>
with the Amazon Resource Name (ARN) of the policy you created in step 4.
- Finally, test the policy by waiting for 90 days and then logging in to your AWS Management Console using your root account credentials. AWS will prompt you to reset the password, and you should do so to ensure that your root account password is rotated regularly.
To remediate the root account password rotation misconfiguration in AWS using Python, you can follow the below steps:
- Install AWS SDK for Python (boto3) using pip:
pip install boto3
- Create an AWS IAM client:
import boto3
iam_client = boto3.client('iam')
- Get the current password policy:
response = iam_client.get_account_password_policy()
password_policy = response['PasswordPolicy']
- Check if password rotation is enabled for the root account:
if password_policy['MaxPasswordAge'] is None:
print("Password rotation is not enabled for the root account.")
- If password rotation is not enabled, set a new password policy with password rotation enabled:
else:
new_password_policy = {
'MinimumPasswordLength': password_policy['MinimumPasswordLength'],
'RequireSymbols': password_policy['RequireSymbols'],
'RequireNumbers': password_policy['RequireNumbers'],
'RequireUppercaseCharacters': password_policy['RequireUppercaseCharacters'],
'RequireLowercaseCharacters': password_policy['RequireLowercaseCharacters'],
'AllowUsersToChangePassword': password_policy['AllowUsersToChangePassword'],
'MaxPasswordAge': 90, # set the maximum password age to 90 days
'PasswordReusePrevention': password_policy['PasswordReusePrevention']
}
iam_client.update_account_password_policy(**new_password_policy)
print("Password rotation is enabled for the root account.")
Note: Make sure you have the necessary AWS IAM permissions to update the account password policy.