Skip to main content

πŸ“ AWS Account IAM Password Policy minimum password length is 14 characters or less 🟒

  • Contextual name: πŸ“ IAM Password Policy minimum password length is 14 characters or less 🟒
  • ID: /ce/ca/aws/account/password-policy-minimum-password-length-14
  • Located in: πŸ“ AWS Account

Flags​

Our Metadata​

  • Policy Type: COMPLIANCE_POLICY
  • Policy Category:
    • SECURITY

Similar Policies​

Logic​

Description​

Open File

Description​

Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are at least a given length. It is recommended that the password policy require a minimum password length 14.

Rationale​

Setting a password complexity policy increases account resiliency against brute force login attempts.

Audit​

Perform the following to ensure the password policy is configured as prescribed:

From Console​
  1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings).
  2. Go to IAM Service on the AWS Console.
  3. Click on Account Settings on the Left Pane.
  4. Ensure "Minimum password length" is set to 14 or greater.
From Command Line​
  1. Run the following command:
aws iam get-account-password-policy

Ensure the output of the above command includes "MinimumPasswordLength": 14 (or higher).

References​

  1. CCE-78907-3
  2. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html

... see more

Remediation​

Open File

Remediation​

Perform the following to set the password policy as prescribed:

From Console​

  1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings).
  2. Go to IAM Service on the AWS Console.
  3. Click on Account Settings on the Left Pane.
  4. Set Minimum password length to 14 or greater.
  5. Click Apply password policy.

From Command Line​

Run the following command:

aws iam update-account-password-policy --minimum-password-length 14

Note: All commands starting with "aws iam update-account-password-policy" can be combined into a single command.

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [IAM.7] Password policies for IAM users should have strong configurations12
πŸ’Ό CIS AWS v1.2.0 β†’ πŸ’Ό 1.9 Ensure IAM password policy requires minimum length of 14 or greater1
πŸ’Ό CIS AWS v1.3.0 β†’ πŸ’Ό 1.8 Ensure IAM password policy requires minimum length of 14 or greater1
πŸ’Ό CIS AWS v1.4.0 β†’ πŸ’Ό 1.8 Ensure IAM password policy requires minimum length of 14 or greater1
πŸ’Ό CIS AWS v1.5.0 β†’ πŸ’Ό 1.8 Ensure IAM password policy requires minimum length of 14 or greater - Level 1 (Automated)1
πŸ’Ό CIS AWS v2.0.0 β†’ πŸ’Ό 1.8 Ensure IAM password policy requires minimum length of 14 or greater - Level 1 (Automated)1
πŸ’Ό CIS AWS v3.0.0 β†’ πŸ’Ό 1.8 Ensure IAM password policy requires minimum length of 14 or greater - Level 1 (Automated)1
πŸ’Ό CIS AWS v4.0.0 β†’ πŸ’Ό 1.8 Ensure IAM password policy requires minimum length of 14 or greater (Automated)1
πŸ’Ό CIS AWS v4.0.1 β†’ πŸ’Ό 1.8 Ensure IAM password policy requires minimum length of 14 or greater (Automated)1
πŸ’Ό CIS AWS v5.0.0 β†’ πŸ’Ό 1.7 Ensure IAM password policy requires minimum length of 14 or greater (Automated)1
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Credential Lifecycle Management17
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-2(1) Automated System Account Management (M)(H)16
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-2(3) Disable Accounts (M)(H)4
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό IA-5(1) Password-based Authentication (L)(M)(H)14
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό IA-5(1) Password-based Authentication (L)(M)(H)4
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-2(1) Automated System Account Management (M)(H)16
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-2(3) Disable Accounts (M)(H)4
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό IA-5(1) Password-based Authentication (L)(M)(H)4
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-2(1) Account Management _ Automated System Account Management416
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-2(3) Account Management _ Disable Accounts14
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-3(15) Access Enforcement _ Discretionary and Mandatory Access Control10
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό IA-5(1) Authenticator Management _ Password-based Authentication4
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 8.2.3 Passwords/passphrases must have complexity and strength.12
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 8.2.5 Do not allow an individual to submit a new password/passphrase that is the same as any of the last four passwords/passphrases he or she has used.12
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 8.3.6 If passwords/passphrases are used as authentication factors to meet Requirement 8.3.1, they meet the minimum level of complexity.2
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 8.3.7 Individuals are not allowed to submit a new password/passphrase that is the same as any of the last four passwords/passphrases used.2
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 8.3.6 If passwords/passphrases are used as authentication factors to meet Requirement 8.3.1, they meet the minimum level of complexity.2
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 8.3.7 Individuals are not allowed to submit a new password/passphrase that is the same as any of the last four passwords/passphrases used.2