Skip to content

Latest commit

 

History

History
 
 

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
 
 
 
 
 
 
 
 
 
 

IAM Password Policy

Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. SPDX-License-Identifier: CC-BY-SA-4.0

Table of Contents


Introduction

The IAM Password Policy solution updates the AWS account password policy within all accounts in an AWS Organization.


Deployed Resource Details

Architecture

1.0 All Organization Accounts

1.1 AWS CloudFormation

  • All resources are deployed via AWS CloudFormation as a StackSet and Stack Instance within the management account or a CloudFormation Stack within a specific account.
  • The Customizations for AWS Control Tower solution deploys all templates as a CloudFormation StackSet.
  • For parameter details, review the AWS CloudFormation templates.

1.2 AWS Lambda Function

  • The Lambda function includes logic to set the account password policy

1.3 Amazon CloudWatch Log Group

  • All the AWS Lambda Function logs are sent to a CloudWatch Log Group </aws/lambda/<LambdaFunctionName> to help with debugging and traceability of the actions performed.
  • By default the AWS Lambda Function will create the CloudWatch Log Group and logs are encrypted with a CloudWatch Logs service managed encryption key.

1.4 Lambda Execution IAM Role

  • IAM role used by the Lambda function to update the account password policy

1.5 IAM Password Policy

  • AWS account password policy for IAM users

Implementation Instructions

Prerequisites

  1. Download and Stage the SRA Solutions. Note: This only needs to be done once for all the solutions.
  2. Verify that the SRA Prerequisites Solution has been deployed.

Solution Deployment

Choose a Deployment Method:

AWS CloudFormation

In the management account (home region), launch an AWS CloudFormation Stack using one of the options below:

  • Option 1: (Recommended) Use the sra-iam-password-policy-main-ssm.yaml template. This is a more automated approach where some of the CloudFormation parameters are populated from SSM parameters created by the SRA Prerequisites Solution.

    aws cloudformation deploy --template-file $HOME/aws-sra-examples/aws_sra_examples/solutions/iam/iam_password_policy/templates/sra-iam-password-policy-main-ssm.yaml --stack-name sra-iam-password-policy-main-ssm --capabilities CAPABILITY_NAMED_IAM
  • Option 2: Use the sra-iam-password-policy-main.yaml template. Input is required for the CloudFormation parameters where the default is not set.

    aws cloudformation deploy --template-file $HOME/aws-sra-examples/aws_sra_examples/solutions/iam/iam_password_policy/templates/sra-iam-password-policy-main.yaml --stack-name sra-iam-password-policy-main --capabilities CAPABILITY_NAMED_IAM --parameter-overrides pRootOrganizationalUnitId=<ROOT_ORGANIZATIONAL_UNIT_ID> pSRAStagingS3BucketName=<SRA_STAGING_S3_BUCKET_NAME>

Verify Solution Deployment

  1. Log into any account within the AWS Organization
  2. Navigate to the IAM -> Account settings page
  3. Verify the password policy settings

Solution Delete Instructions

  1. In the management account (home region), delete the AWS CloudFormation Stack (sra-iam-password-policy-main-ssm or sra-iam-password-policy-main) created above.
  2. In each AWS account, delete the AWS CloudWatch Log Group (e.g. /aws/lambda/<solution_name>) for the Lambda function deployed.

References