CloudWiki
Resource
Detect, troubleshoot & optimize AWS environments in real-time ->

Amazon Web Service (AWS)

IAM Account Password Policy

Permissions
With IAM account password policy you can create a custom password policy in your AWS account, where you can set complexed and strict requirements, and mandatory rotation periods for your IAM users' passwords.
Costs
The cost of using Identity and Access Management (IAM) features is free, as it is included in the overall cost of using Amazon Web Services (AWS). There are no charges for creating or using IAM users, groups, roles, or policies. However, some AWS services, such as Amazon S3 or Amazon EC2, may incur charges for using IAM features, such as creating an IAM role to access an Amazon S3 bucket or an Amazon EC2 instance.
Direct Cost

--

Indirect Cost
No items found.
Terraform Name
aws_iam_account_password_policy
IAM Account Password Policy
attributes:
  • allow_users_to_change_password - (Optional) Whether to allow users to change their own password
  • hard_expiry - (Optional) Whether users are prevented from setting a new password after their password has expired (i.e., require administrator reset)
  • max_password_age - (Optional) The number of days that an user password is valid.
  • minimum_password_length - (Optional) Minimum length to require for user passwords.
  • password_reuse_prevention - (Optional) The number of previous passwords that users are prevented from reusing.
  • require_lowercase_characters - (Optional) Whether to require lowercase characters for user passwords.
  • require_numbers - (Optional) Whether to require numbers for user passwords.
  • require_symbols - (Optional) Whether to require symbols for user passwords.
  • require_uppercase_characters - (Optional) Whether to require uppercase characters for user passwords.

Associating resources with a
IAM Account Password Policy
Resources do not "belong" to a
IAM Account Password Policy
Rather, one or more Security Groups are associated to a resource.
Create
IAM Account Password Policy
via Terraform:
The following HCL creates a strict IAM account password policy
Syntax:

resource "aws_iam_account_password_policy" "strict" {
 minimum_password_length        = 8
 require_lowercase_characters   = true
 require_numbers                = true
 require_uppercase_characters   = true
 require_symbols                = true
 allow_users_to_change_password = true
}

Create
IAM Account Password Policy
via CLI:
Parametres:

update-account-password-policy
[--minimum-password-length <value>]
[--require-symbols | --no-require-symbols]
[--require-numbers | --no-require-numbers]
[--require-uppercase-characters | --no-require-uppercase-characters]
[--require-lowercase-characters | --no-require-lowercase-characters]
[--allow-users-to-change-password | --no-allow-users-to-change-password]
[--max-password-age <value>]
[--password-reuse-prevention <value>]
[--hard-expiry | --no-hard-expiry]
[--cli-input-json | --cli-input-yaml]
[--generate-cli-skeleton <value>]
[--debug]
[--endpoint-url <value>]
[--no-verify-ssl]
[--no-paginate]
[--output <value>]
[--query <value>]
[--profile <value>]
[--region <value>]
[--version <value>]
[--color <value>]
[--no-sign-request]
[--ca-bundle <value>]
[--cli-read-timeout <value>]
[--cli-connect-timeout <value>]
[--cli-binary-format <value>]
[--no-cli-pager]
[--cli-auto-prompt]
[--no-cli-auto-prompt]

Example:

aws iam update-account-password-policy --minimum-password-length 8 --require-numbers

Best Practices for
IAM Account Password Policy

Categorized by Availability, Security & Compliance and Cost

Explore all the rules our platform covers
Related blog posts
All Resources