CloudWiki

Amazon Web Service (AWS)

IAM Account Password Policy

Permissions
With IAM account password policy you can create a custom password policy in your AWS account, where you can set complexed and strict requirements, and mandatory rotation periods for your IAM users' passwords.
aws_iam_account_password_policy
IAM Account Password Policy
attributes:
  • allow_users_to_change_password - (Optional) Whether to allow users to change their own password
  • hard_expiry - (Optional) Whether users are prevented from setting a new password after their password has expired (i.e., require administrator reset)
  • max_password_age - (Optional) The number of days that an user password is valid.
  • minimum_password_length - (Optional) Minimum length to require for user passwords.
  • password_reuse_prevention - (Optional) The number of previous passwords that users are prevented from reusing.
  • require_lowercase_characters - (Optional) Whether to require lowercase characters for user passwords.
  • require_numbers - (Optional) Whether to require numbers for user passwords.
  • require_symbols - (Optional) Whether to require symbols for user passwords.
  • require_uppercase_characters - (Optional) Whether to require uppercase characters for user passwords.

Associating resources with a
IAM Account Password Policy
Resources do not "belong" to a
IAM Account Password Policy
Rather, one or more Security Groups are associated to a resource.
Create
IAM Account Password Policy
via Terraform:
The following HCL creates a strict IAM account password policy
Syntax:

resource "aws_iam_account_password_policy" "strict" {
 minimum_password_length        = 8
 require_lowercase_characters   = true
 require_numbers                = true
 require_uppercase_characters   = true
 require_symbols                = true
 allow_users_to_change_password = true
}

Create
IAM Account Password Policy
via CLI:
Parametres:

update-account-password-policy
[--minimum-password-length <value>]
[--require-symbols | --no-require-symbols]
[--require-numbers | --no-require-numbers]
[--require-uppercase-characters | --no-require-uppercase-characters]
[--require-lowercase-characters | --no-require-lowercase-characters]
[--allow-users-to-change-password | --no-allow-users-to-change-password]
[--max-password-age <value>]
[--password-reuse-prevention <value>]
[--hard-expiry | --no-hard-expiry]
[--cli-input-json | --cli-input-yaml]
[--generate-cli-skeleton <value>]
[--debug]
[--endpoint-url <value>]
[--no-verify-ssl]
[--no-paginate]
[--output <value>]
[--query <value>]
[--profile <value>]
[--region <value>]
[--version <value>]
[--color <value>]
[--no-sign-request]
[--ca-bundle <value>]
[--cli-read-timeout <value>]
[--cli-connect-timeout <value>]
[--cli-binary-format <value>]
[--no-cli-pager]
[--cli-auto-prompt]
[--no-cli-auto-prompt]

Example:

aws iam update-account-password-policy --minimum-password-length 8 --require-numbers

Best Practices for
IAM Account Password Policy

Categorized by Availability, Security & Compliance and Cost

Critical
Ensure IAM password policy expires passwords within 90 days or less
Info
Ensure IAM password policy has expiration period
Warning
Ensure IAM password policy prevents password reuse
Warning
Ensure IAM password policy require at least one lowercase letter
Warning
Ensure IAM password policy require at least one number
Warning
Ensure IAM password policy require at least one symbol
Warning
Ensure IAM password policy requires at least one uppercase letter
Warning
Ensure IAM password policy requires minimum length of 14 or greater
Critical
Ensure no root account access key exists
Critical
Ensure root user has mfa enabled
Explore all the rules our platform covers
All Resources