IAM password policies should have a minimum length of 7 and include both alphabetic and numeric characters

Description

IAM password policies are used to enforce password complexity requirements and increase account resiliency against brute force login attempts. Password policies should require passwords to be at least 7 characters long and include both alphabetic and numeric characters.

Remediation Steps

AWS Console

  • Navigate to Identity and Access Management.

  • In the left navigation, select Account Settings.

  • In the Minimum password length field, enter 7.

  • Check Require at least one number.

  • Click Apply password policy.

AWS CLI

  • Set password policy to have a minimum length of 7 and include both alphabetic and numeric characters.

  • This operation does not support partial updates. No parameters are required, but if you do not specify a parameter, that parameter’s value reverts to its default value.

    • aws iam update-account-password-policy <other password options> --require-numbers --minimum-password-length 7

Terraform

  • Ensure that the aws_iam_account_password_policy has a minimum_password_length field set to “7”, a require_numbers field set to “true”, and a require_lowercase_characters field set to “true”.

Example Configuration

resource "aws_iam_account_password_policy" "example" {
  minimum_password_length = 7
  require_numbers = true
  require_lowercase_characters = true
  # other required fields here
}