Is there a way to implement a policy/rule to lock accounts that have failed login within a given time window? For instance, a user fails login 3 times in a 15 minute window, therefore their account is locked for either 60 minutes or until an admin grants them access.
Currently, there isn't an option for this in the AWS Identity & Access Management console, is there?
You can't sign in to an AWS account because you're using incorrect credentials (email address, user name, or password), or you forgot the credentials that you use to sign in to an AWS account. You received a notification that there is an issue with your AWS account (for example, that it's closed or suspended).
In the navigation bar on the upper right, choose your user name, and then choose My Security Credentials. On the AWS IAM Credentials tab, choose Change password. For Current password, enter your current password. Enter a new password for New password and Confirm new password.
In the navigation pane, choose Users. Choose the name of the user whose password you want to change. Choose the Security credentials tab, and then under Sign-in credentials, choose Manage password next to Console password.
You can assign IAM users to up to 10 groups. You can also attach up to 10 managed policies to each group, for a maximum of 120 policies (20 managed policies attached to the IAM user, 10 IAM groups, with 10 policies each).
New IAM Features: Enhanced Password Management and Credential Reports
Lockout on login attempt failure is currently not supported. We have heard this request before and are evaluating it for inclusion on our roadmap.
Kai Zhao - Product Manager, AWS IAM
This is not available natively and you cannot temporarily disable console sign-in as far as I know (though you can deactivate IAM user keys).
You could potentially build a solution that tells you this kind of thing is happening, however, but it wouldn't be trivial. Failed Sign-in attempts are logged in CloudTrail so you could send the logs to CloudWatch Logs, and then process the relevant logs to detect sign-in anomalies, and take actions such as send notifications.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With