New IAM Features: Enhanced Password Management and Credential Reports
The AWS IAM team recently released new credential lifecycle management features that enable AWS account administrators to define and enforce security best practices for IAM users.
We’ve expanded IAM password policies to enable self-service password rotation, on top of existing options to enforce password complexity. Furthermore, you can download reports for better visibility into the status of your IAM users’ AWS security credentials. These enhancements are designed to help you comply with security standards such as PCI DSS v2.0, ISO 27001, and FedRAMP.
In this blog post, I’ll discuss a number of use cases enabled by this release.
Use case 1
I want my IAM users to periodically change their passwords.
This release adds password rotation features required by many corporate IT departments and security compliance standards. Rather than rely on users to actively remember to change passwords, you can now set mandatory password rotation periods ranging from 1 day to 3 years. Users are notified starting 15 days before their passwords expire that they must soon change their passwords. If their passwords expire, IAM requires them to reset their password before it allows them to access the AWS Management Console. Alternatively, you can lock out users whose passwords have expired, meaning that they must contact your AWS account administrator to get a new password. For added security, you can specify that your IAM users will not be able to re-use up to 24 previous passwords.
The following screenshot shows the new features on the updated Password Policy page.
Use case 2
I want to make sure that a user resets her password the next time she signs in.
A common scenario is to create a new user, assign an admin-generated password, and then have that user reset her own password. Today, that requires manually following up with the user to ensure that she’s completed the reset. Now when you manage a user’s password in the console, you select a check box, as shown in the following screenshot, to ensure that the user is required to reset her password the next time she signs into AWS.
Use case 3
I want evidence that my users are following security best practices, such as requiring MFA for administrative-level users.
You can generate a credential report that lists your IAM users and the status of their AWS security credentials and download it as a CSV file. These reports contain details such as whether MFA is activated, when their password was last rotated, and more. You can generate a new report as often as every 4 hours.
You can download reports interactively via the console or programmatically using the IAM API. (Support is coming soon for downloading the reports using the AWS CLI.)
The table below details the contents of a report.
|IAM_user_name||The friendly name of the IAM user|
|Arn||AWS ARN of IAM user|
|creation_date||Creation date of IAM user|
|password_enabled||Whether the user has a password|
|password_last_rotated||Date and time when the user’s password was last changed|
|password_next_rotation||Date and time when the user’s password must be changed|
|MFA_active||Whether MFA is active for the user|
|access_key_1_active||Whether the user’s first access key is active, inactive, or not present|
|access_key_1_last_rotated||The date and time when the user’s first access key was last changed|
|access_key_2_active||Whether the user’s second access key is active, inactive, or not present|
|access_key_2_last_rotated||The date and time when the user’s second access key was last changed|
|X509_cert_1_active||Whether the user’s first signing certificate is active, inactive, or not present|
|X509_cert_1_last_rotated||The date and time when the user’s signing certificate was last changed|
|X509_cert_2_active||Whether the user’s second signing certificate is active, inactive, or not present|
|X509_cert_2_last_rotated||The date and time when the user’s second signing certificate was last changed|
As a reminder, IAM is a feature of your AWS account and is available at no additional cost. Get started today with IAM password policies or credential reports by visiting the IAM console.