AWS IAM Account Password Policy Deleted
editAWS IAM Account Password Policy Deleted
editIdentifies deletion of the AWS account password policy via DeleteAccountPasswordPolicy. The account password policy enforces minimum password requirements (length, complexity, rotation, and reuse) for all IAM users in the account. Deleting it removes those requirements account-wide, weakening authentication and easing follow-on credential-based attacks. This is an account-level change that legitimately occurs only during deliberate administration, so its deletion by an unexpected principal warrants review.
Rule type: query
Rule indices:
- logs-aws.cloudtrail-*
Severity: medium
Risk score: 47
Runs every: 5m
Searches indices from: now-6m (Date Math format, see also Additional look-back time)
Maximum alerts per execution: 100
References:
Tags:
- Domain: Cloud
- Domain: Identity
- Data Source: AWS
- Data Source: Amazon Web Services
- Data Source: AWS IAM
- Use Case: Threat Detection
- Tactic: Defense Evasion
- Resources: Investigation Guide
Version: 1
Rule authors:
- Elastic
Rule license: Elastic License v2
Investigation guide
editTriage and analysis
Investigating AWS IAM Account Password Policy Deleted
The account password policy is an account-wide control that sets minimum password length, character complexity, maximum age, and reuse-prevention for all IAM users. DeleteAccountPasswordPolicy removes it entirely, reverting the account to no enforced password requirements — which weakens authentication and can facilitate credential attacks or mask weak credentials created later. Because this is a single, account-level, high-impact change, it should be deliberate and rare.
Possible investigation steps
-
Identify the actor in
aws.cloudtrail.user_identity.arn,aws.cloudtrail.user_identity.type, andaws.cloudtrail.user_identity.session_context.session_issuer.arn, and reviewsource.ip/user_agent.original. -
Determine whether a replacement policy was set shortly after (
UpdateAccountPasswordPolicy) or whether the account was left with no policy. - Confirm whether the change aligns with an approved governance change.
- Correlate with recent activity by the same principal, such as creation of IAM users or login profiles, or other defense-evasion actions (CloudTrail/logging changes) that may indicate a broader effort to weaken controls.
False positive analysis
-
Approved governance or infrastructure-as-code may delete/replace the policy. Confirm the change is expected and exclude known administration roles or automation on
aws.cloudtrail.user_identity.arnafter validation. -
Note: AWS GuardDuty also surfaces account password policy changes via
Stealth:IAMUser/PasswordPolicyChange; correlate if GuardDuty is enabled.
Response and remediation
-
If the deletion is unauthorized, restore an appropriate account password policy (
UpdateAccountPasswordPolicy) that meets your organization’s standards, and review any IAM users or login profiles created while no policy was enforced. -
Rotate or restrict credentials for the principal if compromise is suspected, and constrain
iam:DeleteAccountPasswordPolicyandiam:UpdateAccountPasswordPolicyto a small set of trusted administrators.
Rule query
editdata_stream.dataset: "aws.cloudtrail"
and event.provider: "iam.amazonaws.com"
and event.action: "DeleteAccountPasswordPolicy"
and event.outcome: "success"
and not aws.cloudtrail.user_identity.type: "AWSService"
and not user_agent.original: (*terraform* or *pulumi* or *ansible*)
and not aws.cloudtrail.user_identity.arn: (*terraform* or *pulumi* or *ansible*)
and not source.address: ("cloudformation.amazonaws.com" or "servicecatalog.amazonaws.com")
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Defense Evasion
- ID: TA0005
- Reference URL: https://attack.mitre.org/tactics/TA0005/
-
Technique:
- Name: Modify Authentication Process
- ID: T1556
- Reference URL: https://attack.mitre.org/techniques/T1556/