~ 3 min read

How to enable Prevent Password Reuse policy in AWS

Prevent password reuse policy can be easily enabled in AWS. This helps in preventing users from reusing their old passwords after expiry or when password change operations are performed. This article provides a step by step walkthrough of how you can enable Prevent Password Reuse policy on AWS, both in video and text for your preferred medium of learning.

In the event of passwords being breached, a reused password can allow an attacker to take over a user account or compromise the entire AWS account.

Preventing password reuse increases account resiliency against brute force login attempts. AWS IAM password policies can prevent the reuse of a given password by the same user by enabling Prevent password reuse policy.

In the absence of this policy, there is no way to prevent users from reusing their old passwords after expiry or when password change operations are performed.

Here’s how you can enable Prevent Password Reuse policy on AWS via the console and CLI

Steps to enable Prevent Password Reuse policy via AWS console

  1. Sign in to the AWS Management console
  2. Navigate to IAM service

Navigate to IAM service

  1. On the left menu, click on Account settings

On the left menu, click on Account settings

  1. Under Password Policy section, click on Change password policy button

Under Password Policy section, click on Change password policy button

  1. Check the Prevent password reuse checkbox

Check the Prevent password reuse checkbox

  1. For the password history, we can set the value between 1 and 24. As per CIS benchmark we should set this value to 24 or you can set it up as per your organization’s policies and processes

  1. Click on Save changes. This will enable the password policy to prevent reuse of old passwords

Click on Save changes. This will enable the password policy to prevent reuse of old passwords## Steps to enable Prevent Password Reuse policy via AWS CLI

  1. To check password policy manually, run get account password policy command

aws iam get-account-password-policy

  1. We can see that this policy has not been enabled yet

We can see that this policy has not been enabled yet

  1. Run update account password policy command on your terminal with password reuse prevention parameter value set to an integer between 1 and 24

aws iam update-account-password-policy \

—password-reuse-prevention 24

(As  per CIS benchmark we should set this value to 24 or you can set it up as per your organization’s policies and processes)

  1. To check if the policy has been updated, run the command in step 1 again

To check if the policy has been updated, run the command in step 1 again

***

This article is brought to you by Kloudle Academy, a free e-resource compilation, created and curated by Kloudle. Kloudle is a cloud security management platform that uses the power of automation and simplifies human requirements in cloud security. Receive alerts for Academy by subscribing here.

;