IAM password policies should expire passwords within 90 days


IAM password policies can require passwords to be rotated or expired after a given number of days. Reducing the password lifetime increases account resiliency against brute force login attempts.

Console Remediation Steps

  • Navigate to IAM.

  • In the left navigation, select Account settings.

  • Check the Enable password expiration checkbox.

  • In the Password expiration period (days) field, enter 90 days or less.

  • Click the Apply password policy button.

CLI Remediation Steps

  • Set IAM password policy to expire passwords in 90 days.

  • This operation does not support partial updates. No parameters are required, but if you do not specify a parameter, that parameter’s value reverts to its default value.

    • aws iam update-account-password-policy <other password options> --max-password-age 90