Skip to content
Ask AI about this
Help improve this page

IAM password policies should have minimum length set to 14 or greater

Short passwords are exponentially easier to brute-force. A 14-character minimum provides a meaningful jump in entropy compared to the AWS default of 8, pushing offline cracking times from hours to years even with modern GPU clusters. NIST SP 800-63B recommends longer passwords over complexity rules precisely because users compensate for complexity requirements with predictable substitutions (P@ssw0rd) that barely slow attackers.

Every IAM user with console access inherits this policy. If the minimum is too low, a single compromised credential hands an attacker a foothold for privilege escalation, lateral movement, or data exfiltration.

Retrofit consideration

Existing IAM users are not forced to change passwords immediately. Users with passwords shorter than 14 characters will only be required to comply at their next rotation or reset. You may need to force a password reset for all console users to achieve immediate compliance.

Implementation

Choose the approach that matches how you manage Terraform.

Use AWS provider resources directly. See docs for the resources involved: aws_iam_account_password_policy.

resource "aws_iam_account_password_policy" "this" {
  max_password_age             = 90
  minimum_password_length      = 14
  password_reuse_prevention    = 24
  require_lowercase_characters = true
  require_numbers              = true
  require_symbols              = true
  require_uppercase_characters = true
}

What this control checks

This control validates that an aws_iam_account_password_policy resource exists with minimum_password_length set to 14 or higher. If the argument is omitted, the account defaults to a minimum of 8, which fails. The resource is a singleton: only one exists per AWS account. Set minimum_password_length = 14 (or any integer up to the AWS maximum of 128) to pass. Any value below 14 fails. If no aws_iam_account_password_policy resource is defined at all, the account falls back to the default policy with a minimum of 8, which also fails.

Common pitfalls

  • Default minimum_password_length is 8, not 14

    The Terraform resource deploys successfully without minimum_password_length set explicitly, but the AWS default is 8, which fails this check. The resource is created with no errors and no indication that the value is non-compliant. Always set the argument explicitly.

  • Existing passwords are not retroactively enforced

    Updating the policy doesn't invalidate existing passwords. Users with sub-14-character passwords keep them until their next rotation. To force immediate compliance, run aws iam update-login-profile --user-name <user> --password-reset-required per user, or set hard_expiry = true on the policy.

  • Policy resource is a singleton and can conflict

    Multiple Terraform stacks or manual console changes managing this resource will silently overwrite each other since the policy is a singleton per account. Consolidate it under one state file with terraform import, and remove the resource block from any secondary stacks.

  • SSO users are not covered by IAM password policy

    This control only covers IAM users with console passwords. If you use IAM Identity Center (SSO), those credentials are governed by the identity source, whether that's Active Directory, Okta, or another IdP. Scoping findings to console-password IAM users avoids false positives.

Audit evidence

An auditor expects to see the output of aws iam get-account-password-policy, confirming that MinimumPasswordLength is 14 or greater. The Config rule iam-password-policy evaluated as COMPLIANT provides continuous evidence. Security Hub findings showing this control as PASSED across the relevant accounts are also acceptable.

For organizations managing many accounts, a Config aggregator dashboard or a Security Hub multi-account summary showing this control passing across all member accounts is the preferred artifact.

Framework-specific interpretation

PCI DSS v4.0: Requirement 8.3.6 sets a 12-character floor (or 8 if the system doesn't support 12). Setting 14 clears that bar without exception and requires no compensating controls.

GDPR: Article 32 asks for appropriate technical measures to secure personal data processing. Weak IAM passwords on accounts that handle EU personal data represent inadequate security under that standard. A 14-character minimum is a direct, auditable measure that supports this requirement.

NIST SP 800-53 Rev 5: IA-5 (Authenticator Management) requires organizations to enforce minimum password length as part of authenticator composition rules. The 14-character floor aligns with SP 800-63B, which favors length over complexity as the more effective control.

FedRAMP Moderate Baseline Rev 4: At the Moderate baseline, IA-5(1) calls for demonstrable technical enforcement of minimum password length across all user accounts. Examiners will pull the account password policy directly and check the value.

Tool mappings

Use these identifiers to cross-reference this control across tools, reports, and evidence.

  • Compliance.tf Control: iam_account_password_policy_min_length_14

  • AWS Config Managed Rule: IAM_PASSWORD_POLICY

  • Checkov Check: CKV_AWS_10

  • Powerpipe Control: aws_compliance.control.iam_account_password_policy_min_length_14

  • Prowler Check: iam_password_policy_minimum_length_14

  • AWS Security Hub Control: IAM.15

  • KICS Query: 1bc1c685-e593-450e-88fb-19db4c82aa1d

  • Trivy Check: AWS-0063

Last reviewed: 2026-03-09