Skip to content
Ask AI about this
Help improve this page

IAM password policies should require at least one symbol

Passwords composed only of letters and numbers are significantly easier to crack through brute force or dictionary attacks. Requiring symbols expands the effective character set from 62 (a-z, A-Z, 0-9) to over 90 printable ASCII characters, increasing the search space for each character position exponentially.

This control works alongside the other complexity requirements (uppercase, lowercase, numeric) to build defense-in-depth around IAM credentials. While federated identity and SSO reduce reliance on IAM passwords, many accounts still maintain local IAM users for break-glass access or legacy integrations. Those passwords deserve the same complexity standards you would apply anywhere else.

Retrofit consideration

Existing IAM users will not be forced to update passwords until their next rotation. Users with non-compliant passwords continue to authenticate until their password expires or they change it manually.

Implementation

Choose the approach that matches how you manage Terraform.

Use AWS provider resources directly. See docs for the resources involved: aws_iam_account_password_policy.

resource "aws_iam_account_password_policy" "this" {
  max_password_age             = 90
  minimum_password_length      = 14
  password_reuse_prevention    = 24
  require_lowercase_characters = true
  require_numbers              = true
  require_uppercase_characters = true

  require_symbols = true
}

What this control checks

This control checks that aws_iam_account_password_policy has require_symbols set to true. The resource is a singleton that applies account-wide. If the resource is absent, AWS defaults require_symbols to false, which fails. If the resource exists but require_symbols is omitted or explicitly set to false, it also fails. The only passing configuration is require_symbols = true. This argument is typically managed alongside require_uppercase_characters, require_lowercase_characters, and require_numbers in the same resource block.

Common pitfalls

  • Singleton resource conflicts

    The aws_iam_account_password_policy resource is account-global. If two Terraform configurations or workspaces both declare it, they will conflict and overwrite each other on every apply. Manage this resource in exactly one state file, typically your account-baseline or identity module.

  • Omitting require_symbols defaults to false

    Declare aws_iam_account_password_policy without require_symbols and Terraform sends false to the API. You must explicitly set require_symbols = true. The same applies to all the complexity arguments: none of them default to a secure value.

  • Existing passwords are not retroactively validated

    Changing the password policy does not invalidate current passwords. Users with non-compliant passwords keep authenticating until their password expires or they change it. Set max_password_age to force rotation within an acceptable window.

  • Policy does not apply to root or federated users

    The IAM password policy governs only IAM user console passwords. Root account password, SSO users, and federated identity credentials are all out of scope. Root password complexity requires separate management through the AWS console.

Audit evidence

The output of aws iam get-account-password-policy should show "RequireSymbols": true. Config rule evaluations from the iam-password-policy managed rule or Security Hub findings provide continuous compliance evidence. IAM console screenshots under Account Settings with the 'Require at least one non-alphanumeric character' checkbox enabled work as point-in-time proof.

For ongoing assurance, auditors may request historical Config compliance timelines showing the policy stayed enabled across the audit period, along with CloudTrail events for UpdateAccountPasswordPolicy API calls to confirm no temporary weakening occurred.

Framework-specific interpretation

PCI DSS v4.0: Requirement 8.3.6 sets a floor of numeric and alphabetic characters for user passwords. Requiring symbols goes beyond that minimum, so this control provides additional hardening on top of what 8.3.6 strictly mandates.

GDPR: Article 32 requires appropriate technical measures to protect personal data. Strong password policies reduce the risk of unauthorized access to systems holding that data, contributing to the technical security posture Article 32 calls for, though password policy alone doesn't fully satisfy it.

FedRAMP Moderate Baseline Rev 4: IA-5 (Authenticator Management) at the Moderate baseline requires managing password complexity as part of authenticator management. Requiring symbols in the IAM password policy is a direct technical implementation of that control.

Tool mappings

Use these identifiers to cross-reference this control across tools, reports, and evidence.

  • Compliance.tf Control: iam_account_password_policy_one_symbol

  • AWS Config Managed Rule: IAM_PASSWORD_POLICY

  • Checkov Check: CKV_AWS_14

  • Powerpipe Control: aws_compliance.control.iam_account_password_policy_one_symbol

  • Prowler Check: iam_password_policy_symbol

  • AWS Security Hub Control: IAM.13

  • Trivy Check: AWS-0060

Last reviewed: 2026-03-09