PCI Compliance on AWS: Best Practices for Password Parameters
Setting a Password Policy in AWS IAM
Strong, complex passwords are crucial to your AWS security posture. PCI Requirement 8.2.3 – 8.2.6 provide parameters for PCI-compliant passwords, which include:
- Require a minimum length of at least seven characters
- Contain both numeric and alphabetic characters
- Change user passwords at least every 90 days
- Do not allow reuse of a new password that is the same as any of the last four passwords
- Set temporary passwords for first-time use and for reset request, then change immediately after the first use
You can set custom password parameters by creating a Password Policy in AWS IAM. If your AWS administrator doesn’t set a custom password policy, then AWS will apply a default password policy that requires a minimum length of eight characters and a maximum of 128, a mix of character types, and cannot be identical to the AWS account name or email. For additional password recommendations, see the CIS AWS Foundations Benchmark.
Some additional requirements in 8.2 of the PCI Data Security Standard relate to the password parameters that you have in place in your IAM policies. 8.2.3 through 8.2.6 outline the parameters that you need to ensure that you’re meeting, at a minimum. The length of your password has to be at least 7 characters for PCI compliance. The passwords have to be changed every 90 days. You can’t reuse more than 4 passwords. These are things that you can check in our AWS scan. If you haven’t run the scan yet, this is an automatic check to see if you’re in compliance with this policy. You can also refer to the Center for Internet Security AWS Foundations Benchmark because it discusses a lot of these minimum requirements for password parameters that you would want to evaluate for your company. Which standard, what requirements do you want to have to ensure that you’re meeting the requirements of the various frameworks that apply to your organization?