Ensure that your AWS IAM users are using a strong password policy to define password requirements such as minimum length, expiration date, whether it requires a certain pattern, and so forth.
This rule can help you with the following compliance standards:
- CISAWSF
- PCI
- APRA
- MAS
- NIST4
For further details on compliance standards supported by Conformity, see here.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
Enforcing AWS IAM passwords strength, pattern and rotation is vital when it comes to maintaining the security of your AWS account. Having a strong password policy in use will significantly reduce the risk of password-guessing and brute-force attacks.
Audit
Case A (Risk Level: High). To determine if your AWS account has a password policy in use, perform the following:
Case B (Risk Level: Medium). To determine if your IAM password policy enforces a minimum password length of 14 characters, perform the following:
Case C (Risk Level: Medium). To determine if your IAM password policy enforces at least one lowercase letter for the user passwords, perform the following:
Case D (Risk Level: Medium). To determine if your IAM password policy enforces at least one uppercase letter for the user passwords, perform the following:
Case E (Risk Level: Medium). To determine if your IAM password policy enforces at least one number for the user passwords, perform the following:
Case F (Risk Level: Medium). To determine if your IAM password policy enforces at least one non-alphanumeric character for the user passwords, perform the following:
Case G (Risk Level: Medium). To determine if your IAM password policy enforces password expiration with a defined threshold of 90 days or less, perform the following:
Case H (Risk Level: Medium). To determine if your IAM password policy enforces prevention of reusing passwords, perform the following:
Remediation / Resolution
Case A: To enable the IAM password policy for your AWS account, perform the following:
Case B: To enforce a minimum length of 14 characters for your IAM user passwords, perform the following:
Case C: To enforce at least one uppercase letter for your IAM user passwords, perform the following:
Case D: To enforce at least one lowercase letter for your IAM user passwords, perform the following:
Case E: To enforce at least one number for your IAM user passwords, perform the following:
Case F: To enforce at least one non-alphanumeric character for your IAM user passwords, perform the following:
Case G: To enforce password expiration with a threshold of 90 days or less for your IAM user passwords, perform the following:
Case H: To enforce prevention of reusing passwords for your IAM uses, perform the following:
References
- AWS Documentation
- AWS Identity and Access Management FAQs
- IAM Best Practices
- Setting an Account Password Policy for IAM Users
- AWS Command Line Interface (CLI) Documentation
- iam
- list-users
- get-account-password-policy
- update-account-password-policy
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

You are auditing:
AWS IAM Password Policy
Risk level: Medium