IAM Password Policy Minimum Length 14

Overview

This check verifies that your AWS account's IAM password policy requires passwords to be at least 14 characters long. Longer passwords are significantly harder to crack through brute force or dictionary attacks.

Risk

When passwords are too short, they become vulnerable to:

• Brute force attacks - Shorter passwords have fewer possible combinations, making them faster to crack
• Dictionary attacks - Short passwords are more likely to be common words or simple patterns
• Credential stuffing - Weak passwords are often reused across services and may already be in attacker databases
• Account compromise - Once an IAM user account is compromised, attackers gain AWS console access to modify resources, access data, or move laterally through your environment

Remediation Steps

Prerequisites

• AWS account access with permissions to modify IAM account settings
• You need iam:UpdateAccountPasswordPolicy permission (typically available to administrators)

AWS Console Method

1. Sign in to the AWS Management Console
2. Navigate to IAM (search for "IAM" in the top search bar)
3. In the left sidebar, click Account settings
4. Under Password policy, click Edit
5. Check the box for Custom password policy (if not already selected)
6. Set Minimum password length to 14 (or higher)
7. Click Save changes

AWS CLI (optional)

Run the following command to set the minimum password length to 14 characters:

aws iam update-account-password-policy \
    --minimum-password-length 14 \
    --region us-east-1

Important: The update-account-password-policy command does not support partial updates. Parameters you do not specify will revert to their default values. To preserve your existing policy settings, first retrieve the current policy and include all parameters in your update.

To view the current password policy:

aws iam get-account-password-policy --region us-east-1

To set a comprehensive password policy with 14-character minimum:

aws iam update-account-password-policy \
    --minimum-password-length 14 \
    --require-symbols \
    --require-numbers \
    --require-uppercase-characters \
    --require-lowercase-characters \
    --allow-users-to-change-password \
    --max-password-age 90 \
    --password-reuse-prevention 24 \
    --region us-east-1

CloudFormation (optional)

AWS CloudFormation does not have a native resource type for IAM account password policies. You have two alternatives:

1. Use a Custom Resource with Lambda - Create a Lambda function that calls the IAM API and invoke it via CloudFormation Custom Resource
2. Use AWS CLI or Terraform - These tools have native support for password policies

For organizations managing password policies at scale, consider using AWS Organizations Service Control Policies (SCPs) combined with AWS Config rules to enforce and monitor compliance.

Terraform (optional)

Use the aws_iam_account_password_policy resource to configure the minimum password length:

resource "aws_iam_account_password_policy" "strict" {
  minimum_password_length        = 14
  require_lowercase_characters   = true
  require_numbers                = true
  require_uppercase_characters   = true
  require_symbols                = true
  allow_users_to_change_password = true
  max_password_age               = 90
  password_reuse_prevention      = 24
}

Apply with:

terraform init
terraform plan
terraform apply

Verification

After making changes, verify the password policy is correctly configured:

1. In the AWS Console, go to IAM > Account settings
2. Confirm that Minimum password length shows 14 (or your chosen value)

CLI Verification

aws iam get-account-password-policy --region us-east-1 --query 'PasswordPolicy.MinimumPasswordLength'

Expected output: 14 (or your chosen value of 14 or higher)

Additional Resources

• AWS IAM Password Policy Documentation
• AWS Security Best Practices in IAM
• AWS Config IAM Password Policy Rule
• NIST Password Guidelines

Notes

• Existing passwords are not affected - Changing the policy only affects new passwords and password changes. Users with existing passwords shorter than 14 characters will need to update their passwords to meet the new requirement when they next change their password.

• Consider going beyond 14 characters - While 14 is the minimum recommended, security experts often recommend 16 or more characters for stronger protection.

• Combine with other password requirements - Minimum length is most effective when combined with complexity requirements (uppercase, lowercase, numbers, symbols) and password history prevention.

• Enable MFA for stronger security - Password policies are one layer of defense. Enable Multi-Factor Authentication (MFA) for all IAM users to protect against credential theft.

• Consider federation - For organizations with existing identity providers, consider using AWS IAM Identity Center (formerly AWS SSO) with federation. This delegates authentication to your corporate identity provider and may provide more sophisticated password policies.