Broken Authentication in AWS

Play AWS Labs on this vulnerability with SecureFlag!

Identity and Access Management (IAM)

IAM is an essential AWS service that enables you to manage access to AWS resources. With IAM, you can create and manage roles, users, and groups, assign permissions to resources, and control who has access to your AWS account. To prevent Broken Authentication, IAM allows you to implement strong password policies, two-factor authentication, and session management. You can also use IAM to enforce policies that control access to specific resources and actions within your AWS account.

IAM Password Policy

IAM Password Policy is a set of rules that govern the complexity and validity of passwords used to access AWS services. The policy is designed to promote strong password usage and increase the overall security of AWS accounts. As well as your standard password policy, IAM Password Policy can enforce restrictions such as password history, preventing users from using the same password as a previously used one.

Example

{
  "PasswordPolicy": {
      "AllowUsersToChangePassword": true,
      "RequireLowercaseCharacters": true,
      "RequireUppercaseCharacters": true,
      "MinimumPasswordLength": 8,
      "RequireNumbers": true,
      "RequireSymbols": true,
      "HardExpiry": false,
      "ExpirePasswords": false
  }
}

IAM Multi-Factor Authentication (MFA)

IAM Multi-Factor Authentication (MFA) is an additional layer of security that can be used to protect AWS user accounts from unauthorized access. MFA requires users to provide a second authentication factor in addition to their password when logging into AWS services.

AWS Inspector

Finally, Amazon Inspector is a security assessment service that helps you identify security issues within your AWS resources. Using Inspector, you can scan your resources for vulnerabilities and security issues, including those related to Broken Authentication. Inspector provides detailed reporting and recommendations for how to remediate the issues.