Introduction
Best practices for securing an AWS environment have been well-documented and generally accepted, such as AWS’s guidance. However, organizations may still find it challenging on how to begin applying this guidance to their specific environments.
- Which controls should be applied out-of-the-box vs. customized?
- What pitfalls exist in implementing the various controls or checks?
- How do you prioritize remediation of the “sea of red” violations?
In this blog series, we’ll analyze anonymized data from Netskope customers that include security settings of 650,000 entities from 1,143 AWS accounts across several hundred organizations. We’ll look at the configuration from the perspective of the best practices, see what’s commonly occurring in the real world and:
- Discuss specific risk areas that should be prioritized
- Identify underlying root causes and potential pitfalls
- Focus on practical guidance for applying the Benchmark to your specific environment
This blog post focuses on IAM security controls related to account password policies. Based on the Netskope dataset analyzed, we will highlight two opportunities to improve security by making simple IAM changes:
- 73% of accounts have an account password policy with a password length less than 14, which is easier to brute-force and compromise. Half of these accounts are using the default AWS Password Policy.
- 80% of IAM User accounts have a password reuse/history setting that is less than 24, leading to password reuse and higher chances of compromise.
Password Policy: legacies and defaults
“Don’t live life by default.”
― Steven Redhead
These two technical best practices involve the IAM User Password Policy strength. In a high majority (70-80%) of the 1,143 accounts, the account Password Policy is weak:
# | Best Practice | # of Violations | % |
---|---|---|---|
1 | Ensure IAM password policy requires a minimum length of 14 or greater | 832 | 72.8% |
2 | Ensure IAM password policy prevents password reuse | 910 | 76.9% |
1. Password Length
Background: Minimum sugg