IAM password policy prevents reuse of the last 24 passwords
iam_password_policy_reuse_24
IAM account password policy uses password reuse prevention set to 24 remembered passwords (maximum history) for IAM users
Risk
If fewer than 24 passwords are remembered, users can cycle back to recent secrets, undermining rotation. Attackers with previously exposed passwords can regain console access after a change, reducing confidentiality and integrity and increasing success of credential-stuffing with known credentials.
prowler aws --checks iam_password_policy_reuse_24
prowler aws --checks iam_password_policy_reuse_24 --fixer
Recommendation
Set the password policy to remember 24 previous passwords to block reuse. Combine with MFA, strong length and complexity, and avoid rotation practices that encourage predictable patterns. Apply least privilege and monitor authentication events as part of defense in depth.
Remediation
aws iam update-account-password-policy --password-reuse-prevention 24
- Open the AWS Management Console and go to IAM
- In the left menu, select Account settings
- In Password policy, click Edit
- Select Custom (if not already)
- Set Prevent password reuse to 24
- Click Save changes
Source Code
Resource Type
AwsIamPolicy