turbot/aws_compliance

Query: iam_account_password_policy_strong_min_reuse_24

Usage

powerpipe query aws_compliance.query.iam_account_password_policy_strong_min_reuse_24

SQL

select
'arn:' || a.partition || ':::' || a.account_id as resource,
case
when minimum_password_length >= 14
and password_reuse_prevention >= 24
and require_lowercase_characters = 'true'
and require_uppercase_characters = 'true'
and require_numbers = 'true'
and require_symbols = 'true'
and max_password_age <= 90 then 'ok'
else 'alarm'
end as status,
case
when minimum_password_length is null then 'No password policy set.'
when minimum_password_length >= 14
and password_reuse_prevention >= 24
and require_lowercase_characters = 'true'
and require_uppercase_characters = 'true'
and require_numbers = 'true'
and require_symbols = 'true'
and max_password_age <= 90 then 'Strong password policies configured.'
else 'Password policy ' || concat_ws(
', ',
case
when minimum_password_length < 14 then (
'minimum password length set to ' || minimum_password_length
)
end,
case
when password_reuse_prevention < 24 then (
'password reuse prevention set to ' || password_reuse_prevention
)
end,
case
when not (require_lowercase_characters = 'true') then 'lowercase characters not required'
end,
case
when not (require_uppercase_characters = 'true') then 'uppercase characters not required'
end,
case
when not (require_numbers) then 'numbers not required'
end,
case
when not (require_symbols) then 'symbols not required'
end,
case
when max_password_age > 90 then ('max password age set to ' || max_password_age)
end
) || '.'
end as reason,
a.account_id
from
aws_account as a
left join aws_iam_account_password_policy as pol on a.account_id = pol.account_id;

Controls

The query is being used by the following controls: