Skip to content
Ask AI about this
Help improve this page

IAM password policies should require at least one number

Passwords made entirely of alphabetic characters are much easier to crack via dictionary attacks. Requiring a digit forces users out of common word patterns, increasing the keyspace an attacker has to search.

This setting applies account-wide and takes effect at every password creation and rotation. Without it, users can set something like "PasswordPassword" that passes length checks but fails basic entropy. One missing complexity rule weakens every other password policy constraint you've configured.

Retrofit consideration

This takes effect at the next password change per user, not immediately. Users who haven't been notified will hit the complexity check unexpectedly when they rotate, which generates support tickets. Notify users before enabling, or accept the call volume.

Implementation

Choose the approach that matches how you manage Terraform.

Use AWS provider resources directly. See docs for the resources involved: aws_iam_account_password_policy.

resource "aws_iam_account_password_policy" "this" {
  max_password_age             = 90
  minimum_password_length      = 14
  password_reuse_prevention    = 24
  require_lowercase_characters = true
  require_symbols              = true
  require_uppercase_characters = true

  require_numbers = true
}

What this control checks

The control checks that aws_iam_account_password_policy has require_numbers = true. There is exactly one password policy per AWS account, so only one resource instance should exist. It fails when the resource is absent, or when require_numbers is false or omitted. The default value is false, so omission counts as a failure. Other arguments on the resource don't affect this check, though the policy resource typically groups all complexity and rotation settings together.

Common pitfalls

  • Password policy resource is all-or-nothing

    The aws_iam_account_password_policy resource owns the entire password policy for the account. If two teams define it in separate stacks, Terraform will overwrite whichever was last applied. Keep exactly one definition, in a baseline or account-vending module.

  • Default value of require_numbers is false

    Omit require_numbers from the resource declaration and Terraform applies false. Every complexity argument (require_uppercase_characters, require_lowercase_characters, require_numbers, require_symbols) must be set explicitly. There are no secure defaults.

  • Policy does not apply to existing passwords retroactively

    Existing passwords aren't retroactively invalidated. A user with "PasswordPassword" set today keeps it valid until their next password change, or until expiration via max_password_age. If you're not enforcing expiration, there's no guarantee when compliance is actually reached.

Audit evidence

An auditor expects to see aws iam get-account-password-policy output with RequireNumbers: true. The Config rule iam-password-policy showing a COMPLIANT evaluation is also accepted. IAM Account Settings console screenshots with 'Require at least one number' checked work as point-in-time evidence. For multi-account environments, Security Hub findings or periodic CSPM exports showing the control passing across all accounts in scope are stronger than screenshots taken at audit time.

Framework-specific interpretation

PCI DSS v4.0: For any personnel with access to the cardholder data environment, Requirement 8.3.6 mandates passwords include both numeric and alphabetic characters. This control covers the numeric side of that requirement.

GDPR: Article 32(1) calls for appropriate technical measures to secure personal data processing. Password complexity is a concrete control demonstrating that account access is technically restricted, not just procedurally defined.

FedRAMP Moderate Baseline Rev 4: IA-5(1) at the Moderate baseline calls for enforced password complexity through technical controls, not user guidance. Numeric character requirements are explicitly listed, and require_numbers directly satisfies this.

Tool mappings

Use these identifiers to cross-reference this control across tools, reports, and evidence.

  • Compliance.tf Control: iam_account_password_policy_one_number

  • AWS Config Managed Rule: IAM_PASSWORD_POLICY

  • Checkov Check: CKV_AWS_12

  • Powerpipe Control: aws_compliance.control.iam_account_password_policy_one_number

  • Prowler Check: iam_password_policy_number

  • AWS Security Hub Control: IAM.14

  • Trivy Check: AWS-0059

Last reviewed: 2026-03-09