IAM Policies for Account Authentication
Setting an IAM Password Policy
Under the AWS Shared Responsibility Model, it is the customer’s responsibility to enforce appropriate IAM policies. PCI Requirement 8.1 stipulates several requirements for PCI-compliant IAM policies, including:
- Unique IDs for all users
- Control the addition, deletion, and modification of user IDs and credentials
- Immediately revoke access for terminated users
- Remove inactive user accounts within 90 days
- Manage third party IDs and remote access
- After six failed access attempts, lock the user out
- Set the lockout duration for at least 30 minutes
- When a session is idle for more than 15 minutes, require reauthentication to reactive the session
Configuring the appropriate settings in your AWS IAM Password Policy is how you will accomplish many of the sub-requirements under PCI Requirement 8.1, as well as using IAM Roles to further limit account access and enforce authentication.
For more information, visit the documentation for PCI DSS 3.2.1 on AWS.
When it comes to complying with Requirement 8.1 in the PCI Data Security Standard, you have to put a lot of attention into your IAM hygiene within your AWS environment. The accounts that you’ve created, the accounts that you remove, the password parameters that you’ve implemented for the users within your IAM environment. This is what an auditor will really inspect as they’re trying to determine if you’re complying with PCI Requirement 8.1.
So, let’s talk about a few things that we’re going to walk through with this. First of all, only enabling specific user IDs. You can’t have generic IDs. You can’t have people who are sharing IDs and we do see this a lot. There tend to be a lot of administrative accounts that are shared by multiple people and you can’t do that. You have to have each ID assigned to an individual so there’s accountability for what is done when someone is using that ID. The second thing that we run into quite a bit, even in mature environments, is the inability of removing terminated users from the environment. Most people’s policies will state that they will immediately revoke access to a terminated user. But, having a very defined process so that you do get those accounts out of there or at least disabled when an employee is terminated or has left the company is a very, very important step for complying with Requirement 8.1 because these are the accounts that will be compared against your employee roles to determine if you have any accounts in there for people who are no longer with your organization. Finally, the password parameters are very important for complying with 8.1. You have to have a limit on the number of login attempts that can occur. It can’t be more than six login attempts before the account locks. Locking that account for at least 30 minutes is part of the requirement. Actually, for these capabilities, you’re going to have to look beyond the IAM parameters that are available to you. You’ll have to bring in some other capabilities from third-party resources in order to comply with these particular requirements. Also, when an account is idle for more than 15 minutes, you have to terminate the session and the user would have to log back in again.
Another part of this requirement relates to third-party accounts. We run into this quite frequently, as well, where you have IT providers, or managed services providers, or other vendors who require access to your environment. We’ll go in and we’ll see that they haven’t accessed the environment in a period of time. PCI Requirement 8.1 specifies that you only enable these accounts when it’s necessary for the vendor to do their job or perform their services. Having a process for you to manage that, if you had a vendor for example, who is doing that once a month for you, having a process where you go in and enable that account once a month and have rules around when it is enabled and available for them to utilize it. Finally, you have to have a process to evaluate any unused accounts. I was just looking in an AWS environment yesterday and there was an administrative account that had not been used in over 2,200 days. That’s an example of an account that, once it passes a 90-day threshold, you should disable or remove that account due to inactivity.
These are some of the requirements that you’ll find in 8.1. Please reach out to us and talk to us about any struggles that you’re having because some of these things can be tricky and we’d be happy to help you evaluate that and figure out the best way for your organization to comply with PCI Requirement 8.1.