IAM Password Policy Prevents Reuse of Last 24 Passwords

Overview

This check validates that your AWS account's password policy prevents IAM users from reusing any of their last 24 passwords. Password reuse prevention is a fundamental security control that ensures users create genuinely new passwords when rotating credentials.

Risk

If password history is set below 24 (or disabled), users can quickly cycle through old passwords, making password rotation ineffective. Attackers who have obtained previously compromised credentials may regain access after a password change. This threatens system confidentiality and integrity while enabling credential-stuffing attacks.

Remediation Steps

Prerequisites

• Access to the AWS Console with IAM administrative permissions, or
• AWS CLI configured with credentials that have iam:UpdateAccountPasswordPolicy permission

Required IAM permissions

Your IAM user or role needs the following permission:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "iam:UpdateAccountPasswordPolicy",
      "Resource": "*"
    }
  ]
}

AWS Console Method

1. Sign in to the AWS Management Console
2. Go to IAM (search for "IAM" in the top search bar)
3. In the left navigation, click Account settings
4. Under Password policy, click Edit
5. Select Custom (if not already selected)
6. Check the box for Prevent password reuse
7. Set the value to 24
8. Click Save changes

AWS CLI (optional)

Run the following command to set password reuse prevention to 24:

aws iam update-account-password-policy \
    --password-reuse-prevention 24 \
    --region us-east-1

Important: The update-account-password-policy command resets any parameters you do not specify to their default values. To preserve your existing policy settings while adding password reuse prevention, first retrieve your current policy:

# Get current password policy
aws iam get-account-password-policy --region us-east-1

Then include all desired parameters in your update command:

aws iam update-account-password-policy \
    --minimum-password-length 14 \
    --require-symbols \
    --require-numbers \
    --require-uppercase-characters \
    --require-lowercase-characters \
    --allow-users-to-change-password \
    --max-password-age 90 \
    --password-reuse-prevention 24 \
    --region us-east-1

CloudFormation (optional)

Use the AWS::IAM::AccountPasswordPolicy resource type to configure your password policy:

AWSTemplateFormatVersion: '2010-09-09'
Description: IAM Password Policy with password reuse prevention set to 24

Resources:
  AccountPasswordPolicy:
    Type: AWS::IAM::AccountPasswordPolicy
    Properties:
      PasswordReusePrevention: 24
      MinimumPasswordLength: 14
      RequireSymbols: true
      RequireNumbers: true
      RequireUppercaseCharacters: true
      RequireLowercaseCharacters: true
      AllowUsersToChangePassword: true
      MaxPasswordAge: 90
      HardExpiry: false

Outputs:
  PasswordPolicyStatus:
    Description: Password policy configuration status
    Value: "Password reuse prevention set to 24"

Deploy the stack:

aws cloudformation deploy \
    --template-file password-policy.yaml \
    --stack-name iam-password-policy \
    --region us-east-1

Terraform (optional)

Use the aws_iam_account_password_policy resource:

resource "aws_iam_account_password_policy" "strict" {
  password_reuse_prevention      = 24
  minimum_password_length        = 14
  require_symbols                = true
  require_numbers                = true
  require_uppercase_characters   = true
  require_lowercase_characters   = true
  allow_users_to_change_password = true
  max_password_age               = 90
  hard_expiry                    = false
}

Apply the configuration:

terraform init
terraform plan
terraform apply

Verification

After making changes, verify the password policy is correctly configured:

1. In the AWS Console, go to IAM > Account settings
2. Confirm that Prevent password reuse shows 24

CLI verification

aws iam get-account-password-policy --region us-east-1 --query 'PasswordPolicy.PasswordReusePrevention'

Expected output:

24

To see the full policy:

aws iam get-account-password-policy --region us-east-1

Additional Resources

• Setting an account password policy for IAM users
• AWS Security Best Practices in IAM
• CIS AWS Foundations Benchmark

Notes

• Account-wide setting: The IAM password policy applies to all IAM users in the account. There is no way to set different policies for different users.
• Existing passwords: Changing the policy does not force existing users to change their passwords immediately. Users will be required to meet the new reuse requirement only when they change their password.
• Combine with MFA: Password policies work best when combined with multi-factor authentication (MFA). Consider enforcing MFA for all IAM users.
• Consider AWS IAM Identity Center: For organizations with multiple AWS accounts, AWS IAM Identity Center (formerly AWS SSO) provides centralized identity management and may be preferable to managing IAM users in each account.