# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. # SPDX-License-Identifier: Apache-2.0 --- description: | ### Document name - AWSConfigRemediation-SetIAMPasswordPolicy ## What does this document do? This document sets the AWS Identity and Access Management (IAM) user password policy for the AWS account using the [UpdateAccountPasswordPolicy](https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateAccountPasswordPolicy.html) API. ## Input Parameters * AllowUsersToChangePassword: (Optional) Allows all IAM users in your account to use the AWS Management Console to change their own passwords. * HardExpiry: (Optional) Prevents IAM users from setting a new password after their password has expired. * MaxPasswordAge: (Optional) The number of days that an IAM user password is valid. * MinimumPasswordLength: (Optional) The minimum number of characters allowed in an IAM user password. * PasswordReusePrevention: (Optional) Specifies the number of previous passwords that IAM users are prevented from reusing. * RequireLowercaseCharacters: (Optional) Specifies whether IAM user passwords must contain at least one lowercase character from the ISO basic Latin alphabet (a to z). * RequireNumbers: (Optional) Specifies whether IAM user passwords must contain at least one numeric character (0 to 9). * RequireSymbols: (Optional) pecifies whether IAM user passwords must contain at least one of the following non-alphanumeric characters :! @ \# $ % ^ * ( ) _ + - = [ ] { } | ' * RequireUppercaseCharacters: (Optional) Specifies whether IAM user passwords must contain at least one uppercase character from the ISO basic Latin alphabet (A to Z). * AutomationAssumeRole: (Required) The ARN of the role that allows Automation to perform the actions on your behalf. ## Output Parameters * UpdateAndVerifyIamUserPasswordPolicy.Output schemaVersion: "0.3" assumeRole: "{{ AutomationAssumeRole }}" parameters: AutomationAssumeRole: type: String description: (Required) The ARN of the role that allows Automation to perform the actions on your behalf. allowedPattern: '^arn:(?:aws|aws-us-gov|aws-cn):iam::\d{12}:role/[\w+=,.@-]+$' AllowUsersToChangePassword: type: Boolean description: (Optional) Allows all IAM users in your AWS account to use the AWS Management Console to change their own passwords. default: false HardExpiry: type: Boolean description: (Optional) Prevents IAM users from setting a new password after their password has expired. default: false MaxPasswordAge: type: Integer description: (Optional) The number of days that an IAM user password is valid. allowedPattern: ^\d{0,3}$|^10[0-8]\d$|^109[0-5]$ default: 0 MinimumPasswordLength: type: Integer description: (Optional) The minimum number of characters allowed in an IAM user password. allowedPattern: ^[6-9]$|^[1-9]\d$|^1[01]\d$|^12[0-8]$ default: 6 PasswordReusePrevention: type: Integer description: (Optional) Specifies the number of previous passwords that IAM users are prevented from reusing. allowedPattern: ^\d{0,1}$|^1\d$|^2[0-4]$ default: 0 RequireLowercaseCharacters: type: Boolean description: (Optional) Specifies whether IAM user passwords must contain at least one lowercase character from the ISO basic Latin alphabet (a to z). default: false RequireNumbers: type: Boolean description: (Optional) Specifies whether IAM user passwords must contain at least one numeric character (0 to 9). default: false RequireSymbols: type: Boolean description: (Optional) Specifies whether IAM user passwords must contain at least one of the following non-alphanumeric characters :! @ \# $ % ^ * ( ) _ + - = [ ] { } | '. default: false RequireUppercaseCharacters: type: Boolean description: (Optional) Specifies whether IAM user passwords must contain at least one uppercase character from the ISO basic Latin alphabet (A to Z). default: false outputs: - UpdateAndVerifyIamUserPasswordPolicy.Output mainSteps: - name: UpdateAndVerifyIamUserPasswordPolicy action: "aws:executeScript" timeoutSeconds: 600 isEnd: true description: | ## UpdateAndVerifyIamUserPasswordPolicy Sets or updates the AWS account password policy using input parameters using UpdateAccountPasswordPolicy API. Verify AWS account password policy using GetAccountPasswordPolicy API. ## Outputs * Output: Success message with HTTP Response from GetAccountPasswordPolicy API call or failure exception. inputs: Runtime: python3.8 Handler: update_and_verify_iam_user_password_policy InputPayload: AllowUsersToChangePassword: "{{ AllowUsersToChangePassword }}" HardExpiry: "{{ HardExpiry }}" MaxPasswordAge: "{{ MaxPasswordAge }}" MinimumPasswordLength: "{{ MinimumPasswordLength }}" PasswordReusePrevention: "{{ PasswordReusePrevention }}" RequireLowercaseCharacters: "{{ RequireLowercaseCharacters }}" RequireNumbers: "{{ RequireNumbers }}" RequireSymbols: "{{ RequireSymbols }}" RequireUppercaseCharacters: "{{ RequireUppercaseCharacters }}" Script: |- import boto3 def update_and_verify_iam_user_password_policy(event, context): iam_client = boto3.client('iam') try: params = dict() params["AllowUsersToChangePassword"] = event["AllowUsersToChangePassword"] if "HardExpiry" in event: params["HardExpiry"] = event["HardExpiry"] if event["MaxPasswordAge"]: params["MaxPasswordAge"] = event["MaxPasswordAge"] if event["PasswordReusePrevention"]: params["PasswordReusePrevention"] = event["PasswordReusePrevention"] params["MinimumPasswordLength"] = event["MinimumPasswordLength"] params["RequireLowercaseCharacters"] = event["RequireLowercaseCharacters"] params["RequireNumbers"] = event["RequireNumbers"] params["RequireSymbols"] = event["RequireSymbols"] params["RequireUppercaseCharacters"] = event["RequireUppercaseCharacters"] update_api_response = iam_client.update_account_password_policy(**params) # Verifies IAM Password Policy configuration for AWS account using GetAccountPasswordPolicy() api call. response = iam_client.get_account_password_policy() if all([response["PasswordPolicy"]["AllowUsersToChangePassword"] == event["AllowUsersToChangePassword"], response["PasswordPolicy"]["MinimumPasswordLength"] == event["MinimumPasswordLength"], response["PasswordPolicy"]["RequireLowercaseCharacters"] == event["RequireLowercaseCharacters"], response["PasswordPolicy"]["RequireNumbers"] == event["RequireNumbers"], response["PasswordPolicy"]["RequireUppercaseCharacters"] == event["RequireUppercaseCharacters"], ((response["PasswordPolicy"]["HardExpiry"] == event["HardExpiry"]) if "HardExpiry" in event else True), ((response["PasswordPolicy"]["MaxPasswordAge"] == event["MaxPasswordAge"]) if event["MaxPasswordAge"] else True), ((response["PasswordPolicy"]["PasswordReusePrevention"] == event["PasswordReusePrevention"]) if event["PasswordReusePrevention"] else True)]): return { "output": { "Message": "AWS Account Password Policy setting is SUCCESSFUL.", "UpdatePolicyHTTPResponse": update_api_response, "GetPolicyHTTPResponse": response } } raise Exception("VERIFICATION FAILED. AWS ACCOUNT PASSWORD POLICY NOT UPDATED.") except iam_client.exceptions.NoSuchEntityException: raise Exception("VERIFICATION FAILED. UNABLE TO UPDATE AWS ACCOUNT PASSWORD POLICY.") outputs: - Name: Output Selector: $.Payload.output Type: StringMap