Top / Amazon Web Service / AWS IAM / Account Password Policy

AWS IAM Account Password Policy

This page shows how to write Terraform and CloudFormation for IAM Account Password Policy and write them securely.

terraform-logo

Review your .tf file for AWS best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

aws_iam_account_password_policy (Terraform)

The Account Password Policy in IAM can be configured in Terraform with the resource name aws_iam_account_password_policy. The following sections describe 5 examples of how to use the resource and its parameters.

Example Usage from GitHub

iamaccountpasswordpolicy.tf#L1
resource "aws_iam_account_password_policy" "passwordRequireMinLength" {
  minimum_password_length = 5
}

resource "aws_iam_account_password_policy" "passwordRequireMinLength14" {
  minimum_password_length = 14
aws_iam_account_password_policy.tf#L6
resource "aws_iam_account_password_policy" "passwordRequireMinLength" {
  minimum_password_length        = 6
}

resource "aws_iam_account_password_policy" "passwordRequireMinLength14" {
  minimum_password_length        = 13
iam_cis.tf#L1
resource "aws_iam_account_password_policy" "uppercase" {
  minimum_password_length        = 14
  require_lowercase_characters   = true
  require_numbers                = true
  require_uppercase_characters   = false
  require_symbols                = true
account_password_policy.tf#L2
resource "aws_iam_account_password_policy" "account_password_policy" {
  minimum_password_length        = 14
  require_numbers                = true
  require_symbols                = true
  require_lowercase_characters   = true
  require_uppercase_characters   = true
iam_password_length_infra.tf#L18
resource "aws_iam_account_password_policy" "valid" {
  minimum_password_length = 8
}

resource "aws_iam_account_password_policy" "invalid_1" {
  minimum_password_length = 4

Review your Terraform file for AWS best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

Security Best Practices for aws_iam_account_password_policy

There are 6 settings in aws_iam_account_password_policy that should be taken care of for security reasons. The following section explain an overview and example code.

risk-label

Ensure AWS IAM account password policies requires long passwords

It's better to enforce the use of long and complex passwords to reduce the risk of bruteforce attacks.

risk-label

Ensure to require lowercase characters in AWS IAM account password policies

It's better to enforce the use of complex passwords to reduce the risk of bruteforce attacks.

risk-label

Ensure to require numbers in AWS IAM account password policies

It is better to enforce the use of complex passwords to reduce the risk of bruteforce attacks.

risk-label

Ensure password reuse of AWS IAM User is prohibited

It's better to prohibit the reuse in order to reduce the risk of compromised passwords being abused.

risk-label

Ensure to require symbols in AWS IAM account password policies

It is better to enforce the use of complex passwords to reduce the risk of bruteforce attacks.

risk-label

Ensure to require uppercase characters in AWS IAM account password policies

It is better to enforce the use of complex passwords to reduce the risk of bruteforce attacks.

Review your AWS IAM settings

You can check if the aws_iam_account_password_policy setting in your .tf file is correct in 3 min with Shisho Cloud.

Parameters

>> from Terraform Registry

Explanation in Terraform Registry

-> Note: There is only a single policy allowed per AWS account. An existing policy will be lost when using this resource as an effect of this limitation. Manages Password Policy for the AWS Account. See more about Account Password Policy in the official AWS docs.

>> from Terraform Registry

AWS::IAM::User LoginProfile (CloudFormation)

The User LoginProfile in IAM can be configured in CloudFormation with the resource name AWS::IAM::User LoginProfile. The following sections describe how to use the resource and its parameters.

Example Usage from GitHub

An example could not be found in GitHub.

Parameters

Password The user's password.
Required: Yes
Type: String
Update requires: No interruption

PasswordResetRequired Specifies whether the user is required to set a new password on next sign-in.
Required: No
Type: Boolean
Update requires: No interruption

>> from AWS CloudFormation Documentation

Explanation in CloudFormation Registry

Creates a password for the specified user, giving the user the ability to access AWS services through the AWS Management Console. For more information about managing passwords, see Managing Passwords in the IAM User Guide.

>> from AWS CloudFormation Documentation

The Other Related AWS IAM Resources

Frequently asked questions

What is AWS IAM Account Password Policy?

AWS IAM Account Password Policy is a resource for IAM of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.

Where can I find the example code for the AWS IAM Account Password Policy?

For Terraform, the storebot/pr_demo_flat, kanchwala-yusuf/aws-terraform and snyk-labs/infrastructure-as-code-goof source code examples are useful. See the Terraform Example section for further details.

security-icon

Automate config file reviews on your commits

Fix issues in your infrastructure as code with auto-generated patches.

Table of Contents