Property
Language
Severity
Service	iam
Provider	AWS
Vulnerability Type	omission

Description

The IAM password policy does not enforce password expiry within 90 days, allowing users to keep the same password for extended periods. This increases the risk window for compromised credentials.

Impact

If passwords remain valid for too long, attackers who obtain a user’s password have a prolonged opportunity to access sensitive AWS resources. This can lead to unauthorized access, data breaches, or further compromise of cloud infrastructure.

Property
Language
Severity
Service	iam
Provider	AWS
Vulnerability Type	omission

Description

The IAM password policy allows users to create passwords shorter than 14 characters, which weakens password strength and increases susceptibility to brute-force or guessing attacks. The configuration does not enforce a sufficiently long minimum password length.

Impact

Short passwords are easier for attackers to compromise through automated guessing or brute-force attacks, potentially leading to unauthorized access to AWS resources and increased risk of account takeover or data breaches.

Property
Language
Severity
Service	iam
Provider	AWS
Vulnerability Type	omission

Description

The IAM password policy does not enforce the use of at least one lowercase character in user passwords, allowing weak and easily guessable passwords to be set. This reduces the overall strength of account credentials.

Impact

Without a requirement for lowercase characters, passwords are simpler and more vulnerable to brute-force or dictionary attacks, increasing the risk of unauthorized access to AWS resources and potential compromise of sensitive data.

Property
Language
Severity
Service	iam
Provider	AWS
Vulnerability Type	omission

Description

The IAM account password policy does not require users to include at least one numeric character in their passwords. This results in weaker, less complex passwords that are easier to guess or brute-force.

Impact

Without a requirement for numbers in passwords, attackers have an easier time compromising accounts through password guessing or brute-force attacks, increasing the risk of unauthorized access to AWS resources and potential data breaches.

Property
Language
Severity
Service	iam
Provider	AWS
Vulnerability Type	omission

Description

The IAM password policy is configured without requiring at least one symbol in user passwords, allowing the use of weaker, less complex passwords. This increases the risk of passwords being easily guessed or compromised through brute-force attacks.

Impact

Without symbol requirements, user passwords are more susceptible to common attacks such as brute-force or dictionary attacks. If compromised, attackers could gain unauthorized access to AWS resources, potentially resulting in data breaches or resource misuse.

Property
Language
Severity
Service	iam
Provider	AWS
Vulnerability Type	omission

Description

The IAM account password policy does not enforce the requirement for at least one uppercase character in user passwords, allowing the use of weak, easily guessed passwords. This configuration reduces the overall complexity of passwords managed by AWS IAM.

Impact

Without requiring uppercase characters, passwords are more susceptible to brute-force or dictionary attacks, increasing the risk of unauthorized access to AWS resources and potential compromise of sensitive data or infrastructure.

Property
Language
Severity
Service	iam
Provider	AWS
Vulnerability Type	omission

Description

The IAM account password policy does not prevent users from reusing recent passwords, allowing them to set the same password as one of their last few. This weakens password security by making it easier for compromised credentials to be reused.

Impact

If exploited, attackers or unauthorized users could repeatedly use previously compromised passwords, increasing the risk of unauthorized access and making it harder to contain account breaches. This undermines password rotation policies and can lead to persistent account compromise.

Property
Language
Severity
Service	iam
Provider	AWS

Description

IAM policies are being attached directly to individual users rather than to groups or roles, leading to fragmented and complex access management. This practice increases the risk of users accumulating excessive or unintended permissions.

Impact

Directly assigning policies to users makes it difficult to audit and control permissions, raising the likelihood of privilege creep and accidental over-privileging. This can result in users retaining or gaining unauthorized access to sensitive resources, increasing the risk of security incidents.

Property
Language
Severity
Service	iam
Provider	AWS
Vulnerability Type	misconfiguration

Description

Using wildcards in IAM policies can lead to overly permissive access, granting users or services permissions that are broader than necessary.

Impact

This increases the attack surface and the potential for misuse of privileges, which can lead to unauthorized access or accidental modifications.

Resolution

Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

Property
Language
Severity
Service	iam
Provider	AWS

Description

IAM user accounts should be protected with multi factor authentication to add safe guards to password compromise.

Resolution

Enable MFA for the user account