Skip to content

Latest commit

 

History

History
37 lines (31 loc) · 2.37 KB

README.md

File metadata and controls

37 lines (31 loc) · 2.37 KB
Raw

Overview

Set IAM Password Policy for all your AWS accounts according to AWS Foundational Security Best Practices standard, which states that "password policies for IAM users should have strong configurations".
https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#fsbp-iam-7

Notes:

  • AWS highly recommends as a best practice that instead of creating IAM users to use federation, via AWS SSO.
  • This solution sets the minimum requirements to pass AWS Security Hub checks - set other parameters as required.
  • Consider implemeting a Service Control Policy (SCP) to disallow linked accounts from resetting IAM Password Policies.

Environment

The Lambda function has no external dependencies other than Python 3.9 and Boto3, which is the AWS SDK for Python. The Lambda function requires access to action (iam:UpdateAccountPasswordPolicy) to run. The suggested timeout is 10 seconds.

Deployment

You can deploy the Lambda function using AWS CloudFormation (check cloudformation.yml file). Also, you can use AWS CloudFormation StackSets to update the password policy across multiple accounts or the entire AWS Organization.

Governance

Once the IAM Passowrd Policies across your linked accounts are updated according to your organization standard, you can implement a Service Control Policy (see the example below) to deny further access to the action, IAM:UpdateAccountPasswordPolicy. Note that Service Control Policies don't affect users or roles in the management account. 

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyUpdateAccountPasswordPolicy",
      "Effect": "Deny",
      "Action": "iam:UpdateAccountPasswordPolicy",
      "Resource": "*"
    }
  ]
}

Testing

The core logic (other than the handler method) can be tested locally without the need for Lambda deployment. I provided two files (test.py and requirements.txt) to help you install and run the code locally. You still need to have your AWS access credentials in .aws\credentials for the test script to work.

If you like to activly monitor your IAM user permissions for the IAM action, UpdateAccountPasswordPolicy, consider using the IAM Canary concept publish earlier on github.
https://github.com/hassantahhan/iamcanary

Cost

The total cost of the Lambda function is estimated to be $0.0 USD/month/account.