Skip to main content

πŸ›‘οΈ AWS Account IAM Password Policy minimum password length is 14 characters or less🟒

  • Contextual name: πŸ›‘οΈ IAM Password Policy minimum password length is 14 characters or less🟒
  • ID: /ce/ca/aws/account/password-policy-minimum-password-length-14
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: SECURITY

Logic​

Similar Policies​

Description​

Open File

Description​

Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are at least a given length. It is recommended that the password policy require a minimum password length 14.

Rationale​

Setting a password complexity policy increases account resiliency against brute force login attempts.

Audit​

Perform the following to ensure the password policy is configured as prescribed:

From Console​
  1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings).
  2. Go to IAM Service on the AWS Console.
  3. Click on Account Settings on the Left Pane.
  4. Ensure "Minimum password length" is set to 14 or greater.
From Command Line​
  1. Run the following command:
aws iam get-account-password-policy

Ensure the output of the above command includes "MinimumPasswordLength": 14 (or higher).

References​

  1. CCE-78907-3
  2. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html

... see more

Remediation​

Open File

Remediation​

Perform the following to set the password policy as prescribed:

From Console​

  1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings).
  2. Go to IAM Service on the AWS Console.
  3. Click on Account Settings on the Left Pane.
  4. Set Minimum password length to 14 or greater.
  5. Click Apply password policy.

From Command Line​

Run the following command:

aws iam update-account-password-policy --minimum-password-length 14

Note: All commands starting with "aws iam update-account-password-policy" can be combined into a single command.

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [IAM.7] Password policies for IAM users should have strong configurations12no data
πŸ’Ό CIS AWS v1.2.0 β†’ πŸ’Ό 1.9 Ensure IAM password policy requires minimum length of 14 or greater1no data
πŸ’Ό CIS AWS v1.3.0 β†’ πŸ’Ό 1.8 Ensure IAM password policy requires minimum length of 14 or greater1no data
πŸ’Ό CIS AWS v1.4.0 β†’ πŸ’Ό 1.8 Ensure IAM password policy requires minimum length of 14 or greater1no data
πŸ’Ό CIS AWS v1.5.0 β†’ πŸ’Ό 1.8 Ensure IAM password policy requires minimum length of 14 or greater - Level 1 (Automated)1no data
πŸ’Ό CIS AWS v2.0.0 β†’ πŸ’Ό 1.8 Ensure IAM password policy requires minimum length of 14 or greater - Level 1 (Automated)1no data
πŸ’Ό CIS AWS v3.0.0 β†’ πŸ’Ό 1.8 Ensure IAM password policy requires minimum length of 14 or greater - Level 1 (Automated)1no data
πŸ’Ό CIS AWS v4.0.0 β†’ πŸ’Ό 1.8 Ensure IAM password policy requires minimum length of 14 or greater (Automated)1no data
πŸ’Ό CIS AWS v4.0.1 β†’ πŸ’Ό 1.8 Ensure IAM password policy requires minimum length of 14 or greater (Automated)1no data
πŸ’Ό CIS AWS v5.0.0 β†’ πŸ’Ό 1.7 Ensure IAM password policy requires minimum length of 14 or greater (Automated)1no data
πŸ’Ό CIS AWS v6.0.0 β†’ πŸ’Ό 2.7 Ensure IAM password policy requires minimum length of 14 or greater (Automated)1no data
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Credential Lifecycle Management18no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-2(1) Automated System Account Management (M)(H)18no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-2(3) Disable Accounts (M)(H)4no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό IA-5(1) Password-based Authentication (L)(M)(H)18no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό IA-5(1) Password-based Authentication (L)(M)(H)8no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-2(1) Automated System Account Management (M)(H)18no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-2(3) Disable Accounts (M)(H)4no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό IA-5(1) Password-based Authentication (L)(M)(H)8no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-2(1) Account Management _ Automated System Account Management418no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-2(3) Account Management _ Disable Accounts14no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-3(15) Access Enforcement _ Discretionary and Mandatory Access Control13no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό IA-5(1) Authenticator Management _ Password-based Authentication8no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 8.2.3 Passwords/passphrases must have complexity and strength.12no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 8.2.5 Do not allow an individual to submit a new password/passphrase that is the same as any of the last four passwords/passphrases he or she has used.12no data
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 8.3.6 If passwords/passphrases are used as authentication factors to meet Requirement 8.3.1, they meet the minimum level of complexity.2no data
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 8.3.7 Individuals are not allowed to submit a new password/passphrase that is the same as any of the last four passwords/passphrases used.2no data
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 8.3.6 If passwords/passphrases are used as authentication factors to meet Requirement 8.3.1, they meet the minimum level of complexity.12no data
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 8.3.7 Individuals are not allowed to submit a new password/passphrase that is the same as any of the last four passwords/passphrases used.2no data