Skip to content
Ask AI about this
Help improve this page

IAM password policies should prevent password reuse

Password reuse is one of the most common ways credential compromise escalates. When users rotate passwords but cycle back to previous ones, an attacker who obtained an old credential through a breach or phishing attempt can regain access after a rotation event. Setting reuse prevention to 24 makes it impractical for users to cycle through passwords and return to a familiar one.

This is especially relevant in environments where console access is still required. Even with MFA enabled, the password remains a factor, and a reused password undermines the entire authentication chain.

Retrofit consideration

Existing console users will be forced to choose a new password at next rotation. Communicate the change before applying to avoid lockout confusion.

Implementation

Choose the approach that matches how you manage Terraform.

Use AWS provider resources directly. See docs for the resources involved: aws_iam_account_password_policy.

resource "aws_iam_account_password_policy" "this" {
  max_password_age             = 90
  minimum_password_length      = 14
  password_reuse_prevention    = 24
  require_lowercase_characters = true
  require_numbers              = true
  require_symbols              = true
  require_uppercase_characters = true
}

What this control checks

This control validates that the aws_iam_account_password_policy resource has password_reuse_prevention set to exactly 24. A value of 23 or lower fails. If no aws_iam_account_password_policy resource is defined, the account uses the AWS default, which does not enforce any reuse prevention, and the control fails. The full resource may look like:

resource "aws_iam_account_password_policy" "strict" { password_reuse_prevention = 24 }

Other arguments (minimum_password_length, require_symbols, max_password_age) are independent of this check but commonly live in the same resource block.

Common pitfalls

  • Only one password policy per account

    The aws_iam_account_password_policy resource is a singleton. If multiple Terraform stacks or workspaces try to manage it, they will conflict. Use terraform import to bring an existing policy under management in exactly one state file, and reference it via remote state or data sources elsewhere.

  • Control requires exactly 24, not 'at least' 24

    AWS caps password_reuse_prevention at 24. Any value below that (e.g., 12) fails this control. There is no API path to set it higher, so 24 is both the floor and the ceiling for compliance here.

  • Policy does not apply to programmatic credentials

    The IAM password policy governs console passwords only. It has no effect on access keys, session tokens, or federated identities. In SSO-only environments where no IAM users have console passwords enabled, the policy still needs to be configured to pass this control, but it provides limited practical protection.

  • Terraform destroy removes the entire policy

    Running terraform destroy on the aws_iam_account_password_policy resource calls DeleteAccountPasswordPolicy, which reverts to the AWS default: no reuse prevention, no complexity requirements. Protect this resource with lifecycle { prevent_destroy = true }.

Audit evidence

An auditor expects to see aws iam get-account-password-policy output showing "PasswordReusePrevention": 24. AWS Config rule iam-password-policy evaluation results provide continuous evidence. IAM console screenshots (Account Settings) showing the configured policy work as point-in-time evidence. For organizations using Security Hub, the finding for this control under AWS Foundational Security Best Practices should show PASSED.

CloudTrail logs for UpdateAccountPasswordPolicy API calls show when the policy was last changed and by whom, providing a change history.

Framework-specific interpretation

GDPR: Credential stuffing and replay attacks are a documented path to unauthorized access to personal data. Limiting password reuse cuts off that vector, which supports the confidentiality obligations under Article 32.

Tool mappings

Use these identifiers to cross-reference this control across tools, reports, and evidence.

  • Compliance.tf Control: iam_account_password_policy_reuse_24

  • AWS Config Managed Rule: IAM_PASSWORD_POLICY

  • Checkov Check: CKV_AWS_13

  • Powerpipe Control: aws_compliance.control.iam_account_password_policy_reuse_24

  • Prowler Check: iam_password_policy_reuse_24

  • AWS Security Hub Control: IAM.16

  • KICS Query: 89806cdc-9c2e-4bd1-a0dc-53f339bcfb2a

  • Trivy Check: AWS-0056

Last reviewed: 2026-03-09