IAM Password Policy Requires at Least One Number
Overview
This check verifies that your AWS account's IAM password policy requires users to include at least one numeric character (0-9) in their passwords. Requiring numbers increases password complexity and makes passwords harder to guess.
Risk
Passwords without numbers are easier to crack. If an attacker gains access to an IAM user account, they could:
- View sensitive data stored in your AWS resources
- Modify configurations and settings across your infrastructure
- Delete resources or disrupt services
- Incur unexpected costs by spinning up expensive resources
Adding a numeric requirement is a simple step that meaningfully strengthens your security posture.
Remediation Steps
Prerequisites
You need permission to modify the IAM account password policy. This typically requires the iam:UpdateAccountPasswordPolicy permission or administrative access.
AWS Console Method
- Sign in to the AWS Management Console
- Navigate to IAM (search for "IAM" in the search bar)
- In the left navigation, click Account settings
- Under "Password policy", click Edit
- Check the box for Require at least one number
- Click Save changes
That's it! The policy takes effect immediately for any new passwords.
AWS CLI (optional)
Run the following command to enable the numeric requirement:
aws iam update-account-password-policy \
--require-numbers \
--region us-east-1
Important Note: The update-account-password-policy command does not support partial updates. When you run this command with only --require-numbers, all other password policy settings will revert to their defaults.
To preserve your existing settings while adding the number requirement, first retrieve your current policy:
aws iam get-account-password-policy --region us-east-1
Then include all your existing settings in the update command:
aws iam update-account-password-policy \
--minimum-password-length 14 \
--require-symbols \
--require-numbers \
--require-uppercase-characters \
--require-lowercase-characters \
--allow-users-to-change-password \
--max-password-age 90 \
--password-reuse-prevention 24 \
--region us-east-1
Adjust the values above to match your organization's requirements.
CloudFormation (optional)
AWS CloudFormation does not have a native resource type for IAM Account Password Policy. You have two options:
Option 1: Use a Custom Resource with Lambda
This requires creating a Lambda function to manage the password policy:
AWSTemplateFormatVersion: '2010-09-09'
Description: IAM Account Password Policy requiring numbers via Custom Resource
Resources:
PasswordPolicyFunction:
Type: AWS::Lambda::Function
Properties:
FunctionName: iam-password-policy-manager
Runtime: python3.11
Handler: index.handler
Timeout: 30
Role: !GetAtt PasswordPolicyFunctionRole.Arn
Code:
ZipFile: |
import boto3
import cfnresponse
def handler(event, context):
iam = boto3.client('iam')
try:
if event['RequestType'] in ['Create', 'Update']:
iam.update_account_password_policy(
RequireNumbers=True,
MinimumPasswordLength=14,
RequireSymbols=True,
RequireUppercaseCharacters=True,
RequireLowercaseCharacters=True,
AllowUsersToChangePassword=True
)
cfnresponse.send(event, context, cfnresponse.SUCCESS, {})
except Exception as e:
cfnresponse.send(event, context, cfnresponse.FAILED, {'Error': str(e)})
PasswordPolicyFunctionRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service: lambda.amazonaws.com
Action: sts:AssumeRole
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
Policies:
- PolicyName: IAMPasswordPolicy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- iam:UpdateAccountPasswordPolicy
- iam:GetAccountPasswordPolicy
Resource: '*'
AccountPasswordPolicy:
Type: Custom::IAMAccountPasswordPolicy
Properties:
ServiceToken: !GetAtt PasswordPolicyFunction.Arn
RequireNumbers: true
Option 2: Use AWS CLI in a deployment script
Many teams manage password policy outside of CloudFormation using deployment scripts or configuration management tools.
Terraform (optional)
Add the following resource to your Terraform configuration:
resource "aws_iam_account_password_policy" "strict" {
require_numbers = true
}
For a comprehensive password policy following AWS best practices:
resource "aws_iam_account_password_policy" "strict" {
minimum_password_length = 14
require_lowercase_characters = true
require_uppercase_characters = true
require_numbers = true
require_symbols = true
allow_users_to_change_password = true
max_password_age = 90
password_reuse_prevention = 24
}
Apply the configuration:
terraform init
terraform plan
terraform apply
Verification
After making changes, verify the policy is correctly configured:
- In the AWS Console, go to IAM > Account settings
- Confirm that "Require at least one number" shows a checkmark
CLI Verification
aws iam get-account-password-policy --region us-east-1 --query 'PasswordPolicy.RequireNumbers'
Expected output:
true
To see the full policy:
aws iam get-account-password-policy --region us-east-1
Additional Resources
- AWS IAM Password Policy Documentation
- AWS Security Best Practices in IAM
- CIS AWS Foundations Benchmark
Notes
- Existing passwords are not affected. The policy applies only to new passwords or password changes. Consider requiring a password rotation to enforce compliance across all users.
- Combine with other requirements. For stronger security, also enable uppercase, lowercase, and symbol requirements, along with a minimum password length of at least 14 characters.
- Consider MFA. Password complexity is just one layer. Enable multi-factor authentication (MFA) for all IAM users, especially those with console access.
- Prefer federated access. Where possible, use AWS IAM Identity Center (formerly AWS SSO) with your identity provider instead of IAM user passwords.