Skip to content
Ask AI about this
Help improve this page

IAM password policies should have strong configurations with minimum length of 8 or greater

Short passwords are the path of least resistance for brute-force and dictionary attacks. NIST SP 800-63B sets 8 characters as the floor for memorized secrets; most organizations with any real security posture push that to 12 or 14.

Without an explicit account-level policy, AWS applies its own defaults for IAM user passwords. Those defaults are weaker than any deliberately configured policy, and they give you no auditability. Defining the policy in Terraform makes the configuration intentional, reviewable, and enforceable.

Retrofit consideration

Existing IAM users are not forced to change passwords when the policy changes. Passwords that predate the new policy remain valid until their next rotation. Set max_password_age or manually expire credentials with aws iam update-login-profile --password-reset-required to enforce compliance on current users.

Implementation

Choose the approach that matches how you manage Terraform.

Use AWS provider resources directly. See docs for the resources involved: aws_iam_account_password_policy.

resource "aws_iam_account_password_policy" "this" {
  max_password_age             = 90
  minimum_password_length      = 14
  password_reuse_prevention    = 24
  require_lowercase_characters = true
  require_numbers              = true
  require_symbols              = true
  require_uppercase_characters = true
}

What this control checks

The policy engine checks the aws_iam_account_password_policy resource. minimum_password_length must be 8 or higher, and require_lowercase_characters, require_uppercase_characters, require_numbers, and require_symbols must each be true. Set allow_users_to_change_password to true as well so users can self-service rotations. If the resource is absent, the account falls back to AWS defaults, which fails this control. Only one aws_iam_account_password_policy can exist per account.

Common pitfalls

  • Existing passwords are not retroactively enforced

    Tightening the policy doesn't touch existing passwords. A user with a 6-character password keeps it until their next rotation. Set max_password_age in aws_iam_account_password_policy and use aws iam update-login-profile --password-reset-required to force rotation on accounts that need immediate compliance.

  • Only one password policy per account

    The aws_iam_account_password_policy resource is a singleton. Multiple Terraform stacks competing to manage it will conflict and potentially drift. Bring the existing policy into one state file with terraform import, then manage it from a dedicated identity stack.

  • Minimum length of exactly 8 may not satisfy stricter frameworks

    Passing this control at 8 characters doesn't mean you're done. PCI DSS v4.0 requirement 8.3.6 requires 12 characters minimum (or 8 if the platform doesn't support 12). Setting minimum_password_length to 14 covers most frameworks at once and avoids rework when audit scope expands.

  • Policy does not apply to root or federated users

    The IAM password policy covers IAM user console passwords only. Root account passwords, SSO users, and credentials from external identity providers are out of scope entirely. Root password strength and federated access controls need separate attention.

Audit evidence

aws iam get-account-password-policy output shows MinimumPasswordLength, RequireLowercaseCharacters, RequireUppercaseCharacters, RequireNumbers, and RequireSymbols. The Config rule iam-password-policy provides continuous evaluation status. IAM console screenshots from Account Settings are also accepted. For multi-account environments, Security Hub findings showing PASSED status across member accounts work as aggregated evidence.

Framework-specific interpretation

Tool mappings

Use these identifiers to cross-reference this control across tools, reports, and evidence.

  • Compliance.tf Control: iam_account_password_policy_strong_min_length_8

  • AWS Config Managed Rule: IAM_PASSWORD_POLICY

  • Checkov Check: CKV_AWS_10

  • Powerpipe Control: aws_compliance.control.iam_account_password_policy_strong_min_length_8

  • Prowler Checks: iam_password_policy_lowercase, iam_password_policy_minimum_length_14, iam_password_policy_number, iam_password_policy_symbol, iam_password_policy_uppercase

  • AWS Security Hub Controls: IAM.10, IAM.7

  • Trivy Check: AWS-0063

Last reviewed: 2026-03-09