IAM Password Policy Requires Lowercase Letter
Overview
This check verifies that your AWS account's password policy requires at least one lowercase letter (a-z) in user passwords. Strong password policies are a foundational security control that helps protect your AWS resources from unauthorized access.
Risk
Without lowercase letter requirements, passwords have reduced complexity and are easier to guess. Attackers can use brute force or password spraying techniques to compromise IAM user accounts. A compromised account could lead to unauthorized access, data breaches, or malicious changes to your AWS environment.
Remediation Steps
Prerequisites
- Access to the AWS Console with permissions to modify IAM settings (typically requires admin access)
- Alternatively, AWS CLI installed and configured with appropriate credentials
AWS Console Method
- Sign in to the AWS Management Console
- Navigate to IAM (search for "IAM" in the search bar)
- In the left sidebar, click Account settings
- Under "Password policy", click Edit
- Check the box for Require at least one lowercase letter (a-z)
- Click Save changes
Note: While you're here, consider enabling other password complexity requirements like uppercase letters, numbers, and symbols for a stronger overall policy.
AWS CLI (optional)
Run the following command to enable the lowercase letter requirement:
aws iam update-account-password-policy \
--require-lowercase-characters \
--region us-east-1
Important: The update-account-password-policy command does not support partial updates. Any password policy settings you don't explicitly specify will revert to their defaults. To preserve your existing settings while adding the lowercase requirement, first retrieve your current policy, then include all desired settings in the update command.
To set a comprehensive password policy with multiple requirements:
aws iam update-account-password-policy \
--minimum-password-length 14 \
--require-lowercase-characters \
--require-uppercase-characters \
--require-numbers \
--require-symbols \
--allow-users-to-change-password \
--max-password-age 90 \
--password-reuse-prevention 24 \
--region us-east-1
CloudFormation (optional)
AWS CloudFormation does not have a native resource type for IAM password policies. However, you can use a Custom Resource with a Lambda function to manage the password policy.
Here's an example CloudFormation template:
AWSTemplateFormatVersion: '2010-09-09'
Description: IAM Password Policy with lowercase letter requirement
Resources:
PasswordPolicyFunction:
Type: AWS::Lambda::Function
Properties:
FunctionName: iam-password-policy-manager
Runtime: python3.12
Handler: index.handler
Timeout: 30
Role: !GetAtt PasswordPolicyRole.Arn
Code:
ZipFile: |
import boto3
import cfnresponse
def handler(event, context):
try:
if event['RequestType'] in ['Create', 'Update']:
iam = boto3.client('iam')
iam.update_account_password_policy(
MinimumPasswordLength=14,
RequireSymbols=True,
RequireNumbers=True,
RequireUppercaseCharacters=True,
RequireLowercaseCharacters=True,
AllowUsersToChangePassword=True,
MaxPasswordAge=90,
PasswordReusePrevention=24
)
cfnresponse.send(event, context, cfnresponse.SUCCESS, {})
except Exception as e:
print(f"Error: {e}")
cfnresponse.send(event, context, cfnresponse.FAILED, {'Error': str(e)})
PasswordPolicyRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service: lambda.amazonaws.com
Action: sts:AssumeRole
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
Policies:
- PolicyName: IAMPasswordPolicyAccess
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- iam:UpdateAccountPasswordPolicy
- iam:GetAccountPasswordPolicy
Resource: '*'
PasswordPolicyCustomResource:
Type: Custom::PasswordPolicy
Properties:
ServiceToken: !GetAtt PasswordPolicyFunction.Arn
Outputs:
Status:
Description: Password policy configuration status
Value: Configured with lowercase letter requirement
Deploy with:
aws cloudformation deploy \
--template-file password-policy.yaml \
--stack-name iam-password-policy \
--capabilities CAPABILITY_IAM \
--region us-east-1
Terraform (optional)
Use the aws_iam_account_password_policy resource to configure the password policy:
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 5.0"
}
}
}
provider "aws" {
region = "us-east-1"
}
resource "aws_iam_account_password_policy" "strict" {
minimum_password_length = 14
require_lowercase_characters = true
require_uppercase_characters = true
require_numbers = true
require_symbols = true
allow_users_to_change_password = true
max_password_age = 90
password_reuse_prevention = 24
}
Apply the configuration:
terraform init
terraform plan
terraform apply
Verification
After making changes, verify the password policy is correctly configured:
- In the AWS Console, go to IAM > Account settings
- Under "Password policy", confirm that Require at least one lowercase letter shows a checkmark
CLI verification
aws iam get-account-password-policy --region us-east-1
Look for "RequireLowercaseCharacters": true in the output:
{
"PasswordPolicy": {
"MinimumPasswordLength": 14,
"RequireSymbols": true,
"RequireNumbers": true,
"RequireUppercaseCharacters": true,
"RequireLowercaseCharacters": true,
"AllowUsersToChangePassword": true,
"MaxPasswordAge": 90,
"PasswordReusePrevention": 24
}
}
Additional Resources
Notes
- Password policy changes only affect new passwords. Existing user passwords are not automatically invalidated. Users will need to comply with the new policy the next time they change their passwords.
- Consider implementing MFA. Password policies are just one layer of security. Multi-factor authentication (MFA) provides additional protection even if passwords are compromised.
- The CLI command resets unspecified settings. When using
aws iam update-account-password-policy, any settings you don't explicitly include will revert to their defaults. Always specify all desired policy settings in a single command.