Detect, troubleshoot & optimize AWS environments in real-time ->

Amazon Web Service (AWS)

IAM Account Password Policy

With IAM account password policy you can create a custom password policy in your AWS account, where you can set complexed and strict requirements, and mandatory rotation periods for your IAM users' passwords.
The cost of using Identity and Access Management (IAM) features is free, as it is included in the overall cost of using Amazon Web Services (AWS). There are no charges for creating or using IAM users, groups, roles, or policies. However, some AWS services, such as Amazon S3 or Amazon EC2, may incur charges for using IAM features, such as creating an IAM role to access an Amazon S3 bucket or an Amazon EC2 instance.
Direct Cost


Indirect Cost
No items found.
Terraform Name
IAM Account Password Policy
  • allow_users_to_change_password - (Optional) Whether to allow users to change their own password
  • hard_expiry - (Optional) Whether users are prevented from setting a new password after their password has expired (i.e., require administrator reset)
  • max_password_age - (Optional) The number of days that an user password is valid.
  • minimum_password_length - (Optional) Minimum length to require for user passwords.
  • password_reuse_prevention - (Optional) The number of previous passwords that users are prevented from reusing.
  • require_lowercase_characters - (Optional) Whether to require lowercase characters for user passwords.
  • require_numbers - (Optional) Whether to require numbers for user passwords.
  • require_symbols - (Optional) Whether to require symbols for user passwords.
  • require_uppercase_characters - (Optional) Whether to require uppercase characters for user passwords.

Associating resources with a
IAM Account Password Policy
Resources do not "belong" to a
IAM Account Password Policy
Rather, one or more Security Groups are associated to a resource.
IAM Account Password Policy
via Terraform:
The following HCL creates a strict IAM account password policy

resource "aws_iam_account_password_policy" "strict" {
 minimum_password_length        = 8
 require_lowercase_characters   = true
 require_numbers                = true
 require_uppercase_characters   = true
 require_symbols                = true
 allow_users_to_change_password = true

IAM Account Password Policy
via CLI:

[--minimum-password-length <value>]
[--require-symbols | --no-require-symbols]
[--require-numbers | --no-require-numbers]
[--require-uppercase-characters | --no-require-uppercase-characters]
[--require-lowercase-characters | --no-require-lowercase-characters]
[--allow-users-to-change-password | --no-allow-users-to-change-password]
[--max-password-age <value>]
[--password-reuse-prevention <value>]
[--hard-expiry | --no-hard-expiry]
[--cli-input-json | --cli-input-yaml]
[--generate-cli-skeleton <value>]
[--endpoint-url <value>]
[--output <value>]
[--query <value>]
[--profile <value>]
[--region <value>]
[--version <value>]
[--color <value>]
[--ca-bundle <value>]
[--cli-read-timeout <value>]
[--cli-connect-timeout <value>]
[--cli-binary-format <value>]


aws iam update-account-password-policy --minimum-password-length 8 --require-numbers

Best Practices for
IAM Account Password Policy

Categorized by Availability, Security & Compliance and Cost

Explore all the rules our platform covers
Related blog posts
All Resources