AWS Expands Credential Lifecycle Management and Monitoring

| by Steffen Opel Follow 0 Followers on Jul 29, 2014. Estimated reading time: 2 minutes |

A note to our readers: As per your request we have developed a set of features that allow you to reduce the noise, while not losing sight of anything that is important. Get email and web notifications by choosing the topics you are interested in.

AWS Identity and Access Management (IAM) recently expanded available password policy rules to enable self-service password rotation. A new credential report provides visibility into the AWS credentials security status. AWS also added logging of AWS Management Console sign-in events to AWS CloudTrail.

IAM is a web service that enables AWS customers to manage roles, groups, users and IAM permissions to securely control access to AWS services and resources. Existing IAM password policies have provided options to enforce password complexity rules, but lacked features like mandatory password rotation as demanded by many IT departments and required for compliance with security standards such as PCI DSS v2.0, ISO 27001, and FedRAMP.

Administrators can now set mandatory password rotation periods ranging from one day to three years:

  • users are notified starting 15 days before their passwords expire
  • users cannot login without resetting their password once it has expired
  • users can optionally be forced to contact an administrator once their password expires
  • users can be prevented from reusing up to 24 preceding passwords

IAM password policy dialog

IAM also added support for the common password creation workflow, where administrators assign users an initial custom or auto-generated password and optionally require them to create a new one at next sign-in.

In addition, IAM now offers a credential report that contains necessary information to audit the AWS security credentials status of IAM users and the effects of credential lifecycle policies, such as password rotation. The CSV formatted file can be downloaded interactively or programmatically and generated as often as every four hours.

AWS CloudTrail also enabled additional auditing capabilities and can log AWS Management Console sign-in events whenever an account owner or IAM user signs into the console directly, or a federated user via single sign-on (SSO). As previously covered, CloudTrail records all API calls made in an AWS account and stores the resulting log files in an Amazon S3 bucket for reuse by other applications.

The following sign-in activities by IAM and federated users are now also leaving an event trail:

  • every successful sign-in
  • every unsuccessful sign-in attempt
  • verification of when multi-factor authentication (MFA) was enforced
  • the IP address of every sign-in event

Successful root account sign-in events are recorded as well, though unsuccessful ones are not. AWS strongly recommends not to use AWS root account access keys anymore but to create individual IAM users instead:

By creating individual IAM users for people accessing your account, you can give each IAM user a unique set of security credentials. You can also grant different permissions to each IAM user. If necessary, you can change or revoke an IAM user’s permissions any time. (If you give out your AWS root credentials, it can be difficult to revoke them.)

The IAM Documentation features dedicated sections concerning management of the various types of credentials (passwords, access keys, MFA, and certificates) and logging of IAM events with AWS CloudTrail, including examples of the JSON formatted log events. Guidance on IAM best practices is also available. Support is provided via the Identity and Access Management and CloudTrail forums.

Rate this Article

Adoption Stage

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Tell us what you think

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Recommendation by Ann Marie

Highly dynamic environments like AWS are constantly changing, which is why smarter monitoring solutions are crucial. Look at Dynatrace - it uses artificial intelligence to find problems and find root-cause analysis in real-time. It can help companies save both time and money. You can read more at:

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

1 Discuss

Login to InfoQ to interact with what matters most to you.

Recover your password...


Follow your favorite topics and editors

Quick overview of most important highlights in the industry and on the site.


More signal, less noise

Build your own feed by choosing topics you want to read about and editors you want to hear from.


Stay up-to-date

Set up your notifications and don't miss out on content that matters to you