Skip to content
Ask AI about this
Help improve this page

IAM password policies should require at least one uppercase letter

Passwords composed entirely of lowercase characters occupy a smaller keyspace that automated cracking tools can exhaust quickly. Requiring uppercase characters forces a minimum 52-character alphabet, meaningfully increasing the time needed for brute-force attacks against IAM console credentials.

While MFA and federation reduce reliance on passwords, many AWS accounts still have IAM users who authenticate with passwords. A weak password policy lets a single compromised credential become an entry point, and AWS applies the account-level policy to every IAM user at password creation or rotation.

Retrofit consideration

Existing IAM users are not forced to change their passwords when you update the policy. Users with non-compliant passwords retain them until their next rotation or forced reset.

Implementation

Choose the approach that matches how you manage Terraform.

Use AWS provider resources directly. See docs for the resources involved: aws_iam_account_password_policy.

resource "aws_iam_account_password_policy" "this" {
  max_password_age             = 90
  minimum_password_length      = 14
  password_reuse_prevention    = 24
  require_lowercase_characters = true
  require_numbers              = true
  require_symbols              = true

  require_uppercase_characters = true
}

What this control checks

The control checks that an aws_iam_account_password_policy resource exists with require_uppercase_characters set to true. The resource applies account-wide and only one can exist per AWS account. If require_uppercase_characters is omitted, it defaults to false in the AWS API and the control fails. No other resources or arguments are involved. It passes when require_uppercase_characters is explicitly true; it fails when the argument is false or when no password policy resource exists.

Common pitfalls

  • Defaults to false when omitted

    The require_uppercase_characters argument on aws_iam_account_password_policy defaults to false if not explicitly specified. A resource block that only sets minimum_password_length will fail this control because the uppercase requirement is not enabled.

  • Existing passwords are not retroactively enforced

    Updating the password policy does not invalidate or force rotation of existing IAM user passwords. Users whose current passwords lack uppercase letters keep working until the next password change. Pair the policy update with max_password_age or a manual forced reset via aws iam update-login-profile --password-reset-required.

  • Single resource per account can cause Terraform conflicts

    aws_iam_account_password_policy is a singleton. If two Terraform stacks or workspaces both manage it, they will fight over state on every apply. Centralize this resource in a single account-baseline configuration.

  • Federated-only accounts still need the policy

    Even if most users authenticate via SSO, any remaining IAM users with console access (including break-glass accounts) are subject to the account password policy. Compliance frameworks expect the policy to exist regardless of federation status.

Audit evidence

An auditor expects to see the output of aws iam get-account-password-policy showing RequireUppercaseCharacters set to true. The Config rule iam-password-policy evaluation results showing COMPLIANT status are also standard evidence. Screenshots from the IAM console under Account settings with the uppercase requirement checked provide supplementary proof.

For continuous compliance, a history of Config compliance timeline entries for this rule shows the policy has stayed enforced across the audit period, not just at a single point in time.

Framework-specific interpretation

PCI DSS v4.0: Requirement 8.3.6 mandates password complexity for accounts used to access the cardholder data environment. Requiring uppercase characters is one component of the complexity parameters PCI assessors verify during a password policy review.

GDPR: Article 32 calls for technical measures proportional to risk. For controllers and processors with personal data accessible via IAM console credentials, password complexity is among the baseline controls data protection authorities have pointed to in enforcement decisions.

FedRAMP Moderate Baseline Rev 4: IA-5(1) calls for password complexity enforcement that includes mixed-case characters. At the Moderate baseline, the information system itself must enforce the requirement, not just document it as policy. The uppercase check directly satisfies part of that composition rule.

Tool mappings

Use these identifiers to cross-reference this control across tools, reports, and evidence.

  • Compliance.tf Control: iam_account_password_policy_one_uppercase_letter

  • AWS Config Managed Rule: IAM_PASSWORD_POLICY

  • Checkov Check: CKV_AWS_15

  • Powerpipe Control: aws_compliance.control.iam_account_password_policy_one_uppercase_letter

  • Prowler Check: iam_password_policy_uppercase

  • AWS Security Hub Control: IAM.11

  • Trivy Check: AWS-0061

Last reviewed: 2026-03-09