steampipe plugin install aws

Table: aws_iam_account_password_policy - Query AWS IAM Account Password Policies using SQL

The AWS Identity and Access Management (IAM) Account Password Policy is a resource that allows you to manage the password policy for your AWS account. This includes settings like the minimum password length, whether to require symbols, numbers, or uppercase letters, and whether to allow users to change their own password. It can help you enforce strong password practices in your organization.

Table Usage Guide

The aws_iam_account_password_policy table in Steampipe provides you with information about IAM account password policies within AWS Identity and Access Management (IAM). This table enables you, as a DevOps engineer, to query password policy-specific details, including minimum password length, password expiration period, and whether it requires at least one number or symbol. You can utilize this table to gather insights on password policies, such as password complexity requirements, password rotation policies, and more. The schema outlines the various attributes of the IAM account password policy, including the option for users to change password, hard expiry, and password reuse prevention.

Important Notes

Examples

List the password policy for the account

Gain insights into your AWS account's security by examining its password policy. This query can help you understand the strength and complexity requirements of your passwords, which can aid in enhancing your account's security.

select
allow_users_to_change_password,
expire_passwords,
hard_expiry,
max_password_age,
minimum_password_length,
password_reuse_prevention,
require_lowercase_characters,
require_numbers,
require_symbols,
require_uppercase_characters
from
aws_iam_account_password_policy;
select
allow_users_to_change_password,
expire_passwords,
hard_expiry,
max_password_age,
minimum_password_length,
password_reuse_prevention,
require_lowercase_characters,
require_numbers,
require_symbols,
require_uppercase_characters
from
aws_iam_account_password_policy;

Ensure IAM password policy requires at least one uppercase letter (CIS v1.1.05)

Determine whether your AWS IAM account password policy mandates the inclusion of at least one uppercase letter, to ensure enhanced security and compliance with CIS v1.1.05 standards.

select
require_uppercase_characters
from
aws_iam_account_password_policy;
select
require_uppercase_characters
from
aws_iam_account_password_policy;

Ensure IAM password policy requires at least one lowercase letter (CIS v1.1.06)

Determine the areas in which your AWS IAM password policy mandates the inclusion of at least one lowercase letter. This query is useful for ensuring your password policy aligns with the CIS v1.1.06 benchmark, enhancing system security.

select
require_lowercase_characters
from
aws_iam_account_password_policy;
select
require_lowercase_characters
from
aws_iam_account_password_policy;

Ensure IAM password policy requires at least one symbol (CIS v1.1.07)

Determine the areas in which your AWS IAM account password policy mandates the inclusion of at least one symbol. This can be useful in enhancing the security of your system by enforcing stronger password requirements.

select
require_symbols
from
aws_iam_account_password_policy;
select
require_symbols
from
aws_iam_account_password_policy;

Ensure IAM password policy require at least one number (CIS v1.1.08)

Determine the areas in which your AWS IAM password policy mandates the inclusion of at least one numerical digit, which is a recommended security measure according to CIS v1.1.08.

select
require_numbers
from
aws_iam_account_password_policy;
select
require_numbers
from
aws_iam_account_password_policy;

Ensure IAM password policy requires minimum length of 14 or greater (CIS v1.1.09)

Determine the areas in which your AWS IAM account password policy adheres to the CIS v1.1.09 standard, which requires a minimum password length of 14 or greater. This query can help enhance security by ensuring password complexity.

select
minimum_password_length >= 14
from
aws_iam_account_password_policy;
select
minimum_password_length >= 14 as 'minimum_password_length'
from
aws_iam_account_password_policy;

Ensure IAM password policy prevents password reuse (CIS v1.1.10)

Determine the areas in which your AWS IAM password policy restricts reusing old passwords. This is crucial to reinforce security measures and mitigate the risk of unauthorized access.

select
password_reuse_prevention
from
aws_iam_account_password_policy;
select
password_reuse_prevention
from
aws_iam_account_password_policy;

Ensure IAM password policy expires passwords within 90 days or less (CIS v1.1.11)

Assess the elements within your AWS IAM account password policy to ensure that passwords expire within a 90-day period. This is crucial for maintaining a robust security posture and aligning with CIS benchmark recommendations.

select
(
expire_passwords
and max_password_age <= 90
)
from
aws_iam_account_password_policy;
select
(
expire_passwords = 1
and max_password_age <= 90
)
from
aws_iam_account_password_policy;

Control examples

Schema for aws_iam_account_password_policy

NameTypeOperatorsDescription
_ctxjsonbSteampipe context in JSON form.
account_idtext=, !=, ~~, ~~*, !~~, !~~*The AWS Account ID in which the resource is located.
allow_users_to_change_passwordbooleanSpecifies whether IAM users are allowed to change their own password.
expire_passwordsbooleanIndicates whether passwords in the account expire. Returns true if MaxPasswordAge contains a value greater than 0. Returns false if MaxPasswordAge is 0 or not present.
hard_expirybooleanSpecifies whether IAM users are prevented from setting a new password after.
max_password_agebigintThe number of days that an IAM user password is valid.
minimum_password_lengthbigintMinimum length to require for IAM user passwords.
partitiontextThe AWS partition in which the resource is located (aws, aws-cn, or aws-us-gov).
password_reuse_preventionbigintSpecifies the number of previous passwords that IAM users are prevented from reusing.
regiontextThe AWS Region in which the resource is located.
require_lowercase_charactersbooleanSpecifies whether to require lowercase characters for IAM user passwords.
require_numbersbooleanSpecifies whether to require numbers for IAM user passwords.
require_symbolsbooleanSpecifies whether to require symbols for IAM user passwords.
require_uppercase_charactersbooleanSpecifies whether to require uppercase characters for IAM user passwords.
sp_connection_nametext=, !=, ~~, ~~*, !~~, !~~*Steampipe connection name.
sp_ctxjsonbSteampipe context in JSON form.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- aws

You can pass the configuration to the command with the --config argument:

steampipe_export_aws --config '<your_config>' aws_iam_account_password_policy