AWS IAM password policy does not have a minimum of 14 characters

Description

Password policies are utilized to enforce the establishment and adherence to password complexity requirements. The IAM password policy should be configured to mandate the inclusion of diverse character types. Additionally, the policy should enforce a minimum password length of 14 characters, thereby bolstering security and mitigating the risk of successful brute force attack attempts.

Fix - Runtime

AWS Console

To change the password policy in the AWS Console you will need appropriate permissions to View Identity Access Management Account Settings.

To manually set the password policy with a minimum length, follow these steps:

  1. Log in to the AWS Management Console as an IAM user at https://console.aws.amazon.com/iam/.
  2. Navigate to IAM Services.
  3. On the Left Pane click Account Settings.
  4. Set Minimum password length to 14 or greater.
  5. Click Apply password policy.
CLI Command

To change the password policy, use the following command:

aws iam update-account-password-policy --minimum-password-length 14

📘 Note

All commands starting with aws iam update-account-password-policy can be combined into a single command.

Fix - Buildtime

Terraform
resource "aws_iam_account_password_policy" "strict" {
  minimum_password_length        = 14
  require_lowercase_characters   = true
  require_numbers                = true
  require_uppercase_characters   = true
  require_symbols                = true
  allow_users_to_change_password = true
}
 
ReLambda