Detection rules › Panther
AWS Password Policy Password Age Limit
This policy validates that the account password policy enforces a maximum password age of 90 days or less.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Credential Access | T1110 Brute Force |
Rule body yaml
AnalysisType: policy
Filename: aws_password_policy_password_age_limit.py
PolicyID: "AWS.PasswordPolicy.PasswordAgeLimit"
DisplayName: "AWS Password Policy Password Age Limit"
Enabled: true
ResourceTypes:
- AWS.PasswordPolicy
Tags:
- AWS
- Identity & Access Management
- Credential Access:Brute Force
Reports:
CIS:
- 1.11
PCI:
- 8.2.4
MITRE ATT&CK:
- TA0006:T1110
Severity: Medium
Description: >
This policy validates that the account password policy enforces a maximum password age of 90
days or less.
Runbook: >
https://docs.runpanther.io/alert-runbooks/built-in-policies/aws-account-password-policy-enforces-password-age-limit-of-90-days-or-less
Reference: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html
Tests:
- Name: Adequate Max Password Age Set
ExpectedResult: true
Resource:
{
"AllowUsersToChangePassword": false,
"AnyExist": true,
"ExpirePasswords": true,
"HardExpiry": false,
"MaxPasswordAge": 75,
"MinimumPasswordLength": 14,
"PasswordReusePrevention": 24,
"RequireLowercaseCharacters": true,
"RequireNumbers": true,
"RequireSymbols": true,
"RequireUppercaseCharacters": true,
}
- Name: Inadequate Max Password Age Set
ExpectedResult: false
Resource:
{
"AllowUsersToChangePassword": false,
"AnyExist": true,
"ExpirePasswords": true,
"HardExpiry": false,
"MaxPasswordAge": 180,
"MinimumPasswordLength": 14,
"PasswordReusePrevention": 24,
"RequireLowercaseCharacters": true,
"RequireNumbers": true,
"RequireSymbols": true,
"RequireUppercaseCharacters": true,
}
- Name: Max Password Age Not Set
ExpectedResult: false
Resource:
{
"AllowUsersToChangePassword": false,
"AnyExist": true,
"ExpirePasswords": true,
"HardExpiry": false,
"MaxPasswordAge": null,
"MinimumPasswordLength": 14,
"PasswordReusePrevention": 24,
"RequireLowercaseCharacters": true,
"RequireNumbers": true,
"RequireSymbols": true,
"RequireUppercaseCharacters": true,
}
Detection logic
Condition
not (MaxPasswordAge is_not_null and MaxPasswordAge le "90")
Exclusions
Top-level NOT(...) conjuncts: predicates this rule actively suppresses.
| Field | Kind | Excluded values |
|---|---|---|
MaxPasswordAge | is_not_null | |
MaxPasswordAge | le | 90 |