AWS IAM Account Password Policy
This page shows how to write Terraform and CloudFormation for IAM Account Password Policy and write them securely.
aws_iam_account_password_policy (Terraform)
The Account Password Policy in IAM can be configured in Terraform with the resource name aws_iam_account_password_policy
. The following sections describe 5 examples of how to use the resource and its parameters.
Example Usage from GitHub
resource "aws_iam_account_password_policy" "passwordRequireMinLength" {
minimum_password_length = 5
}
resource "aws_iam_account_password_policy" "passwordRequireMinLength14" {
minimum_password_length = 14
resource "aws_iam_account_password_policy" "passwordRequireMinLength" {
minimum_password_length = 6
}
resource "aws_iam_account_password_policy" "passwordRequireMinLength14" {
minimum_password_length = 13
resource "aws_iam_account_password_policy" "uppercase" {
minimum_password_length = 14
require_lowercase_characters = true
require_numbers = true
require_uppercase_characters = false
require_symbols = true
resource "aws_iam_account_password_policy" "account_password_policy" {
minimum_password_length = 14
require_numbers = true
require_symbols = true
require_lowercase_characters = true
require_uppercase_characters = true
resource "aws_iam_account_password_policy" "valid" {
minimum_password_length = 8
}
resource "aws_iam_account_password_policy" "invalid_1" {
minimum_password_length = 4
Security Best Practices for aws_iam_account_password_policy
There are 6 settings in aws_iam_account_password_policy that should be taken care of for security reasons. The following section explain an overview and example code.
Ensure AWS IAM account password policies requires long passwords
It's better to enforce the use of long and complex passwords to reduce the risk of bruteforce attacks.
Ensure to require lowercase characters in AWS IAM account password policies
It's better to enforce the use of complex passwords to reduce the risk of bruteforce attacks.
Ensure to require numbers in AWS IAM account password policies
It is better to enforce the use of complex passwords to reduce the risk of bruteforce attacks.
Ensure password reuse of AWS IAM User is prohibited
It's better to prohibit the reuse in order to reduce the risk of compromised passwords being abused.
Ensure to require symbols in AWS IAM account password policies
It is better to enforce the use of complex passwords to reduce the risk of bruteforce attacks.
Ensure to require uppercase characters in AWS IAM account password policies
It is better to enforce the use of complex passwords to reduce the risk of bruteforce attacks.
Parameters
-
allow_users_to_change_password
optional - bool -
expire_passwords
optional computed - bool -
hard_expiry
optional computed - bool -
id
optional computed - string -
max_password_age
optional computed - number -
minimum_password_length
optional - number -
password_reuse_prevention
optional computed - number -
require_lowercase_characters
optional computed - bool -
require_numbers
optional computed - bool -
require_symbols
optional computed - bool -
require_uppercase_characters
optional computed - bool
Explanation in Terraform Registry
-> Note: There is only a single policy allowed per AWS account. An existing policy will be lost when using this resource as an effect of this limitation. Manages Password Policy for the AWS Account. See more about Account Password Policy in the official AWS docs.
AWS::IAM::User LoginProfile (CloudFormation)
The User LoginProfile in IAM can be configured in CloudFormation with the resource name AWS::IAM::User LoginProfile
. The following sections describe how to use the resource and its parameters.
Example Usage from GitHub
An example could not be found in GitHub.
Parameters
Password
The user's password.
Required: Yes
Type: String
Update requires: No interruption
PasswordResetRequired
Specifies whether the user is required to set a new password on next sign-in.
Required: No
Type: Boolean
Update requires: No interruption
Explanation in CloudFormation Registry
Creates a password for the specified user, giving the user the ability to access AWS services through the AWS Management Console. For more information about managing passwords, see Managing Passwords in the IAM User Guide.
Frequently asked questions
What is AWS IAM Account Password Policy?
AWS IAM Account Password Policy is a resource for IAM of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.
Where can I find the example code for the AWS IAM Account Password Policy?
For Terraform, the storebot/pr_demo_flat, kanchwala-yusuf/aws-terraform and snyk-labs/infrastructure-as-code-goof source code examples are useful. See the Terraform Example section for further details.