IAM password policies should require a minimum length of 14

Description

It is recommended that an enterprise’s password policy require a password length of at least 14 characters. Setting a password complexity policy increases account resiliency against brute force login attempts.

Remediation Steps

AWS Console

• Navigate to IAM Account Settings.

• Select Change password policy.

• In the Enforce minimum password length field, set it to 14 or greater.

• Click the Save changes button.

AWS CLI

• Set password policy to require a minimum of 14 characters.

• This operation does not support partial updates. No parameters are required, but if you do not specify a parameter, that parameter’s value reverts to its default value.

  • aws iam update-account-password-policy <other password options> --minimum-password-length 14

Terraform

• Ensure that the aws_iam_account_password_policy has a minimum_password_length field set to “14”.

Example Configuration

resource "aws_iam_account_password_policy" "example" {
  minimum_password_length = 14
  # other required fields here
}

Documentation Links

AWS Console and CLI

• Console: Setting a Password Policy

• CLI: Setting a Password Policy

Terraform

• Resource: aws_iam_account_password_policy

  • Field: minimum_password_length