AWS IAM Account Password Policy Deleted

edit
IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.

AWS IAM Account Password Policy Deleted

edit

Identifies deletion of the AWS account password policy via DeleteAccountPasswordPolicy. The account password policy enforces minimum password requirements (length, complexity, rotation, and reuse) for all IAM users in the account. Deleting it removes those requirements account-wide, weakening authentication and easing follow-on credential-based attacks. This is an account-level change that legitimately occurs only during deliberate administration, so its deletion by an unexpected principal warrants review.

Rule type: query

Rule indices:

  • logs-aws.cloudtrail-*

Severity: medium

Risk score: 47

Runs every: 5m

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Domain: Cloud
  • Domain: Identity
  • Data Source: AWS
  • Data Source: Amazon Web Services
  • Data Source: AWS IAM
  • Use Case: Threat Detection
  • Tactic: Defense Evasion
  • Resources: Investigation Guide

Version: 1

Rule authors:

  • Elastic

Rule license: Elastic License v2

Investigation guide

edit

Triage and analysis

Investigating AWS IAM Account Password Policy Deleted

The account password policy is an account-wide control that sets minimum password length, character complexity, maximum age, and reuse-prevention for all IAM users. DeleteAccountPasswordPolicy removes it entirely, reverting the account to no enforced password requirements — which weakens authentication and can facilitate credential attacks or mask weak credentials created later. Because this is a single, account-level, high-impact change, it should be deliberate and rare.

Possible investigation steps

  • Identify the actor in aws.cloudtrail.user_identity.arn, aws.cloudtrail.user_identity.type, and aws.cloudtrail.user_identity.session_context.session_issuer.arn, and review source.ip / user_agent.original.
  • Determine whether a replacement policy was set shortly after (UpdateAccountPasswordPolicy) or whether the account was left with no policy.
  • Confirm whether the change aligns with an approved governance change.
  • Correlate with recent activity by the same principal, such as creation of IAM users or login profiles, or other defense-evasion actions (CloudTrail/logging changes) that may indicate a broader effort to weaken controls.

False positive analysis

  • Approved governance or infrastructure-as-code may delete/replace the policy. Confirm the change is expected and exclude known administration roles or automation on aws.cloudtrail.user_identity.arn after validation.
  • Note: AWS GuardDuty also surfaces account password policy changes via Stealth:IAMUser/PasswordPolicyChange; correlate if GuardDuty is enabled.

Response and remediation

  • If the deletion is unauthorized, restore an appropriate account password policy (UpdateAccountPasswordPolicy) that meets your organization’s standards, and review any IAM users or login profiles created while no policy was enforced.
  • Rotate or restrict credentials for the principal if compromise is suspected, and constrain iam:DeleteAccountPasswordPolicy and iam:UpdateAccountPasswordPolicy to a small set of trusted administrators.

Rule query

edit
data_stream.dataset: "aws.cloudtrail"
    and event.provider: "iam.amazonaws.com"
    and event.action: "DeleteAccountPasswordPolicy"
    and event.outcome: "success"
    and not aws.cloudtrail.user_identity.type: "AWSService"
    and not user_agent.original: (*terraform* or *pulumi* or *ansible*)
    and not aws.cloudtrail.user_identity.arn: (*terraform* or *pulumi* or *ansible*)
    and not source.address: ("cloudformation.amazonaws.com" or "servicecatalog.amazonaws.com")

Framework: MITRE ATT&CKTM